Home / malware

PDF

Worm.Sohanat.Z

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Worm.Sohanat.Z is also known as Worm.TermX.

Explanation :

It searches to see if a file named bitdefender.exe exists in Windows directory, and if it can't find one, it downloads o copy of itself or a new variant of itself and places it in %WINDIR%

It makes sure it will be launched every time the computer starts by modifying the key :
"HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunTask Manager"

It also sets a link to itself as a homepage for internet explorer
"HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainHome page"

Modified the following settings for the system and Internet Explorer :

"HKEY_CURRENT_USERSoftwareMicrosoftSearch AssistantDefaultSearchURL"
"HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainSearch Page"
"HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainSearch Bar"
"HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSearchUrl"

are set to a link to the virus itself

"HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsNTSystemRestoreDisableConfig"
"HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr"
"HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools"

are set to value 1 disabling these settings

"HKEY_CURRENT_USERSoftwareGoogleGoogleToolbarNotifierShowTrayIcon"
"HKEY_CURRENT_USERSoftwareGoogleGoogleToolbarNotifierKeepDS"
"HKEY_CURRENT_USERSoftwareGoogleGoogleToolbarNotifierShowTrayIcon"

are set to value 0 disabling these settings

"HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainUse Search Asst"
is set to value "no" also disabling the search assistant

It spreads itself through Yahoo Messenger chat client using it's clever social engineering skills convincing people to click on links sent with various purposes infecting themselves. It sends itself to the whole Address Books of this popular chat client.

Last update 21 November 2011

 

TOP