SecurityHome.eu Win32.Shoho.A@mm

Home / malware PDF

Win32.Shoho.A@mm

First posted on 21 November 2011.
Source: BitDefender
Aliases :
Win32.Shoho.A@mm is also known as W32.Shoho-A, W32.Shoho@mm, I-Worm.Welyah.
Explanation :
It arrives in the following format:

Subject: Welcome to Yahoo!
Attachment: Readme.txt many spaces .pif

The worm uses the Iframe vulnerability for spreading when user is previewing the e-mail. A patch and more details for this vulnerability can be found at: http://www.microsoft.com/technet/security/bulletin/ms01-027.asp

After the virus is executed it will copies itself as Winl0g0n.exe in Windows and Windows System directory.

Then it adds the following registry keys: " HKCUSoftwareMicrosoftWindowsCurrentVersionRunWinl0g0n.exe" with value "%WINDIR%Winl0g0n.exe" and "HKLMSoftwareMicrosoftWindowsCurrentVersionRunWinl0g0n.exe" with the same value.

After that it scans on Hard Disk for files with the following extensions: Eml, wab, dbx, mbx, xls, xlt, mdb, .sys and it searches in those files for e-mail addresses.

For sending itself to those addresses the worm uses the users SMTP server, or if it can’t find that server it uses a server that is hard coded in it’s body.

After restart the worm tries to delete the files from Windows and Windows System directory.
Last update 21 November 2011

TOP

Malware :

Last 20