Home / malware Win32.Worm.Sohanad.NBN
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Sohanad.NBN is also known as W32.Imaut, W32/Autorun.worm.cs, Worm/Autoit.XJ, AutoIt:AutoRun-B2, IM-Worm:W32/Sohanad.HM.
Explanation :
This worm is received as a 617343 Byte-file, having a Folder icon, in order to get the user to execute it.
Upon execution this worm file will copy itself as the following files:
%windir%
egsvr.exe
%windir%system32
egsvr.exe
%windir%system32svchost .exe
The files are hidden, and they also have a Directory icon.
The worm also creates the file %windir%system32setup.ini, which will be copied as autorun.inf on any removable media that will be connected to the system. That will ensure the worm will be executed on any system on which we connect the removable media
[Autorun]
Open=regsvr.exe
Shellexecute=regsvr.exe
ShellOpencommand=regsvr.exe
Shell=Open
Also the worm will copy itself in every directory of any connected removable media as <DirName> .exe and have a folder icon.
The worm will add a task in at.exe that will run C:windowssystem32svchost .exe every day at 9:00 AM. It will also remove the duration limit on the scheduled tasks by setting the following key HKLMSystemCurrentControlSetServicesScheduleAtTaskMaxHours to 0
Registry modifications:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerSharesshared will be set to: "New Folder .exe" -> tries to add itself to the shared folders of the system
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsGlobalUserOffline will be set to 0 -> the user won't be able to open Internet Explorer in offline mode
HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyEnable and HKLMSystemCurrentControlSetHardware Profiles�001SoftwareMicrosoftwindowsCurrentVersionInternet SettingsProxyEnable will be set to 0 to disable the proxy server
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools will be set to 1 to disable regedit
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr will be set to 0 - maybe the worm wants to disable the task manager, but in order to do that, it must set this value to 1
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNofolderOptions will be set to 0 - maybe the worm wants to disable folder options, but in order to do that, it must set this value to 1Last update 21 November 2011
