Home / malware

PDF

Worm:Win32/Sohanad.FC

First posted on 28 June 2019.
Source: Microsoft

Aliases :

Worm:Win32/Sohanad.FC is also known as Win32/Sohanad.worm.239905, W32/IMWorm.CT, I-Worm/Sohanad.I, Worm.IM.Agent.G, Win32/Nuqel.P, Trojan.Downloader-15063, Win32/Sohanad.NAK, Trojan-Downloader.Win32.AutoIt.aa, Generic.ec, W32/Sohana-R, W32.Imaut, WORM_SOHANAD.BO, Worm.Sohanad.R.

Explanation :

Worm:Win32/Sohonad.S is a worm that spreads via mapped network drives. InstallationWhen executed, Worm:Win32/Sohonad.S creates multiple copies of itself in the following hardcoded locations: c:windowscompmgmt.exe as hidden c:windowssystem32debug_32.exe as hidden c:windowssystem32MsMpEng.exe as hiddenIt executes the various copies using the following registry modifications:Adds value: Shell With data: "c:windowscompmgmt.exe"To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunAdds value: Sheli With data: "c:windows asksdmadmin_1.exe"To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunAdds value: compmgmt.exe With data: "c:windowssystem32debug_32.exe"To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
unAdds value: SheliWith data: "c:windows asksdmadmin_1.exe"To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunAdds value: Sheli With data: "c:windows asksdmadmin_1.exe"To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
unAdds value: UserinitWith data: "C:WINDOWS\system32userinit.exe,c:windows asksdmadmin_1.exe"To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonAdds value: AlternateShellWith data: "c:windowssystem32MsMpEng.exe"To subkey: HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBootAdds value: AlternateShellWith data: "c:windowssystem32MsMpEng.exe"To subkey: HKLMSYSTEMCurrentControlSetControlSafeBoot
Then, using Windows Task Scheduler, it schedules debug_32.exe to be run in the next minute: it creates multiple jobs to perform this action, named At1, At2, At3, At4 and At5. The worm also creates copies of itself in the My Documents directory using existing directory names as filenames. For example: My Pictures.exe My Music.exe  Spreads Via… Network DrivesThe worm enumerates drives on the affected machine and copies itself to the root of all targeted drives as New_Folder.exe. Upon copying itself to a drive, the worm creates a file named 'autorun.inf' in the root of the drive.The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer.   It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.  Payload Kills Processes/Stops ServicesThe worm kills the following processes on an affected machine.ravmon.exe
ravmone.exe
sxs.exe
cmd.exe
regedit.exe
avgcc.exe
updat32.exe
rstrui.exe
install.exe
setup.exe
YahooMessenger.exe
mIRC.exe
UIWatcher.exe
UnInstaller.exe It further kills processes with the following strings in their Window titles: Anti
Anti-Virus
aspersky
Avast
AVG
Back
BitDefender
Chat
Check
Clean
Command
Control
earch
ecurity
egistry
emove
ERD
ERU
ervice
essenger
estore
Guard
ijack
Luke
McAfee
NOD32
Norton
ntivir
ntivirus
Options
Panda
Patrol
pdat
Program Files
rocess
rotect
Run
Scan
Scans
Spy
tartup
Task
Test
Trojan
tweak
utorun
virus
ymantec
ystem32
It also hides windows that contain the following strings: Setup Install Customize Kaspersky The worm may stop or suspend the following services: sp_rsser.exe avgupsvc.exe avp.exe  Modifies System SettingsThe worm makes the following registry changes in order to hinder its removal and increase its chances of spreading successfully:Adds value: (Default)With data: txtfileTo subkey: HKEY_LOCAL_MACHINESOFTWAREClasses.reg
Adds value: NoFolderOptionsWith data: 1To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
Adds value: DisableRegistryToolsWith data: 1To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
Adds value: DisabledWith data: 1To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesWinOldApp
Adds value: DisableTaskMgr With data: 1To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem Adds value: NoDriveTypeAutoRunWith data: 1
To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
Adds value: NoRunWith data: 1To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer Adds value: NoFindWith data: 1To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer Adds value: NoFileMenuWith data: 1 To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
Adds value: appwiz.cpl With data: "no"To subkey: HKEY_CURRENT_USERControl Paneldon't load
Adds value: Services.cplWith data: "no"
To subkey: HKEY_CURRENT_USERControl Paneldon't load

Adds value: Startup.cpl With data: "no"To subkey: HKEY_CURRENT_USERControl Paneldon't load
Adds value: HideFileExtWith data: 1To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
Adds value: HiddenWith data: 2To subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced

Last update 28 June 2019

 

TOP