Home / malware Win32.Worm.Sohanad.NAW
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Sohanad.NAW is also known as Virus:Win32/Sality.AH, W32.Blastclan, W32/Kashu.A.
Explanation :
This malware has a folder-like icon, in order to trick the user to double-cluck it.
After run the malware performs the followings actions:
-creates a mutex named "_kkiuynbvnbrev406" in order to avoid running duplicate instances.
- drop in “%WINDIR%System32” directory a dll file named “wd273296.dll”,and a packed copy of this dll under the name “wd273296.dl_”.
- Creates a copy of itself under the name “SCVVHOST.exe” in “%WINDIR%System32” and “%WINDIR%” directories.
- Creates a copy of itself under the name “blastclnnn.exe” in “%WINDIR%System32”.
- It registers "%WINDIR%System32SCVVHOST.exe" at system startup by modifying the default shell to“explorer.exe SCVVHOST.exe”, and also by creating a new entry under “HKLMSoftwareMicrosoftWindowsCurrentVersionRun” named “Yahoo Messengger” pointing to the same executable.
- For protecting itself it disables the registry tools and the Task manager and modifies other security settings.
- Deletes all schedule tasks and creates a new task for running the copy of malware located in “%WINDIR%System32 blastclnnn.exe”.
- Drops a driver named “[random-name].sys” in “c:Windowssystem32drivers” and uses it to disable some antivirus software.
- Attempts to share a copy of itself named “New Folder.exe” on the local network
- It has the functionality required for downloading other malware files from the internet.Last update 21 November 2011
