HOME > VIRUS ALERTS


VIRUS ALERTS

Instant Messaging Worm_Sohanad

Original issue date: October 10, 2006

It has been observed that a memory-resident worm known as Worm_Sohanad is propagating in the wild via instant messaging applications like Yahoo instant messenger. It sends messages with malicious links to all the addresses contain in the contact list of Yahoo messenger user. On clicking the link the copy of the worm and possibly other malicious files get downloaded on the system.

Aliases: W32.Imaut.A [Symantec], WORM_SOHANAD.A [Trend Micro] Varients: WORM_SOHANAD.B, WORM_SOHANAD.C, W32.Imaut.B, W32.Imaut.C

Upon execution

  • It drops a copy of itself to the Windows folder as svhost32.exe , svchost32.exe or svhost.exe

  • It creates registry entries for automatic execution at every system startup.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run

    Task Manager = "%Windows%\svchost32.exe"

    Svchost = "%Windows%\svhost.exe"

  • It creates the registry entries to disable Registry Editor and Task Manager

    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Policies\System
    DisableRegistryTools = "dword:00000001"
    DisableTaskMgr = "dword:00000001"

  • It changes the Internet Explorer home page by modifying the following entry

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    Start Page = http://{BLOCKED}tiry45.googlepages.com/index.html
  • It changes the Yahoo messenger settings by modifying the following entry

    HKEY_CURRENT_USER\Software\Yahoo\pager\View\
    YMSGR_buzz
    content url = http://{BLOCKED}tiry45.googlepages.com
    /index.html

    HKEY_CURRENT_USER\Software\Yahoo\pager\
    View\YMSGR_Launchcast
    content url = http://{BLOCKED}tiry45.googlepages.com
    /index.html

  • It sends messages containing malicious URLs to the IM users.
    • have you ever seen such a silly man like this? [malicious link]
    • making money online never be easier : [malicious link]
    • damn, she is so cute [malicious link]
    • to only way to clean some online viruses that may lead you into troubles : [malicious link]
    • Now you can avoid some critical online viruses by updating Windows. Click here to know how to Update Windows : [malicious link]
    • A new dangerous computer virus that can destroys all your data has just been released. Click here to know how to avoid it : [malicious link]
    • Download free MP3s : [malicious link]
    • You are virus infected. Use this tool to remove viruses from your PC : [malicious link]

Users are advised to implement the following countermeasures:

  • Maintain updated Anti-Virus .
  • Do not click on links contained in untrusted instant messages.
  • Apply appropriate security updates at the OS level and applications such as web browsers.
  • Keep updated Anti-Spyware.

References:

http://www.symantec.com/enterprise/security_response
/writeup.jsp?docid=2006-100316-3321-99&tabid=2 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp
?VName=WORM%5FSOHANAD%2EA&VSect=T
http://www.f-secure.com/weblog/archives/
archive-092006.html#00000973

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003