Home / malwarePDF  

Win32.Worm.Sohanad.NBM


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.Sohanad.NBM is also known as W32.Autorun.worm.cs, Trojan.Win32.Autoit.ci.

Explanation :

This worm performs the following actions upon execution:
- make a copy of itself inside %windir% folder as “regsvr.exe”
- make a copy of itself inside %windir%system32 folder as “regsvr.exe”
- make a copy of itself inside %windir%system32 folder as “svchost .exe”
- register itself at startup in many places by adding the following registry values:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun : “Msn Messsenger” -> “c:WindowsSystem32
egsvr.exe”
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell -> “regsvr.exe”
- disables task manager, registry tools and folder options by settings the next registry keys: HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem:
"DisableTaskMgr" ->"0";
"DisableRegistryTools" ->"0";
HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer:
"NofolderOptions" ->"0";
- creates a scheduled task using windows AT command in order to run “%windir%System32svchost .exe”(a copy of the malware) every day at 09:00AM. It also removes the limit on how long scheduled tasks are active by setting the key HKLMSYSTEMCurrentControlSetServicesSchedule:
"AtTaskMaxHours"->"0".
- disables Internet Explorer to start in offline mode by setting the registry HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings:
"GlobalUserOffline"-> "0"
- creates the following registry entry so that its copy is shared HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares: "shared"->"New folder.exe". If it finds any shared drives, it copies itself under the name “New folder.exe.”

- it spread itself via shared drives, removable drives and yahoo messenger.

Last update 21 November 2011

 

TOP