IM-Worm.Win32.Sohanad.ar
From Total Malware Info
Worm that spreads its copies over IM network of Yahoo Messenger. It is a Windows PE-EXE file. Worm executable is 245 736 bytes in size. Packed with UPX executable packer, unpacked size is ~616 kilobytes. Written on AutoIt scripting language.
Installation
Copies its own executable as:
%WinDir%\SSVICHOSST.exe %System%\SSVICHOSST.exe
Creates the following registry entries:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell=”Explorer.exe SSVICHOSST.exe” [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] Yahoo Messengger=”%System%\SSVICHOSST.exe”
so the worm executables would now be launched every time the windows starts. Changes values of the following registry parameters:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] NofolderOptions=1 [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] DisableTaskMgr=1 DisableRegistryTools=1
And in such way disables system registry editor and task manager.
[HKLM\SYSTEM\CurrentControlSet\Services\Schedule] AtTaskMaxHours=0
The last parameter stops execution of sheduled system tasks.
Payload
Terminates the process with the following name:
game_y.exe
Terminates the processes which main windows contain one of the following strings in its caption:
Bkav2006 System Configuration Registry Windows Task [FireLion] cmd.exe
Deletes following registry key values:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] BkavFw IEProtection
Downloads the list of links to files for downloading from the one of the following links:
http://nhatquanglan3.***.com/setting.nql http://nhatquanglan3.***.com/setting.xls http://nhatquanglan4.***.com/setting.ini http://nhatquanglan4.***.com/setting.nql http://nhatquanglan4.***.com/setting.xls
when downloaded this file is saved with one of the names:
%System%\setting.ini %System%\setting.xls %System%\setting.nql
After that worm downloads the files pointer by the received links, stores them in %System% folder and then launches.
Worm searches the system for Yahoo Messenger windows, in which user inputs the messages to be sent and pastes into message editor one of the following text fragments:
E may, vao day coi co con nho nay ngon lam Vao day nghe bai nay di ban Biet tin gi chua, vao day coi di Trang Web nay coi cung hay, vao coi thu di Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon...
after a text fragment goes the following link:
http://nhatquanglan1.***tch.com
or the link, read from the following configuration file %System%\setting.ini from parameter “myweb” of section [setting]. This file is premilinary downloaded by the worm.
Worm copies its executable file to the root directory of every removable drive and to the accessible shared network folders with the following name “New Folder.exe” and also creates the “autorun.inf” file with the link to worm executable. When user opens the infected removable drive with Windows Explorer, it reads “autorun.inf” and launches the worm that instantly infects the system.
Removal instructions
- Using Task Manager terminate the trojan process.
- Delete the original trojan file (its file name and location depends on the way the trojan originally penetrated the target computer).
- Delete the following parameters in registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] Yahoo Messengger=”%System%\SSVICHOSST.exe” [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] NofolderOptions=1 [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] DisableTaskMgr=1 DisableRegistryTools=1
- Restore the original values of the following parameters:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell=”Explorer.exe” [HKLM\SYSTEM\CurrentControlSet\Services\Schedule] AtTaskMaxHours=0
- Delete files:
%WinDir%\SSVICHOSST.exe %System%\SSVICHOSST.exe %System%\setting.ini %System%\setting.xls %System%\setting.nql
- Delete files with the following names:
New Folder.exe аutorun.inf
from all removable drives and network shares.
