Home / malwarePDF  

Win32.Worm.Sohanad.NEZ


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.Sohanad.NEZ is also known as Trojan-Downloader.Win32.AutoIt.jj, W32/Autorun.worm.bz.gen.

Explanation :

Once executed, it does the following:
- copies itself in the above mentioned paths
- modifies the following registry keys:

"HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell"->"Explorer.exe SSVICHOSST.EXE""HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunYahoo Messengger"->"SSVICHOSST.EXE""HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNofolderOptions"->"1""HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr"->"1""HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools"->"1""HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesScheduleAtTaskMaxHours"->"0""HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainDefault_Page_URL"->"http://rnd009.googlepages.com/google.html""HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain, Default_Search_URL"->"http://rnd009.googlepages.com/google.html""HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainSearch Page"->"http://rnd009.googlepages.com/google.html""HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainStart Page"->"http://rnd009.googlepages.com/google.html""HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftInternet ExplorerControl PanelHomePage"->"1""HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainStart Page"->"http://rnd009.googlepages.com/google.html"

- it deletes all current scheduled tasks, and introduces a new daily task which runs the virus
- it creates an "autorun.ini" file in "%sysdir%" / "%desktopdir%", which points to the hidden virus copy located in the same folder
- it downloads a "settings.ini" file from "http://rnd009.t35.com" in "%sysdir%" / "%desktopdir%"
- it fetches a list of files to download

from "settings.ini" and it runs them
- it sends messages to the user's contacts in yahoo messenger, messages fetched from the "settings.ini" file, or predefined ones which include malicious url-s, through which the malware spreads.
- it infects removable drives, network shared folders with copies named "New Folder.exe" and adds "autorun.inf" so that the system automatically executes them on activation or browsing
- if found, it tries to kill the following processes:

"game_y.exe""cmd.exe"

- if found, it tries to close the following windows:

"Bkav2006" (also deletes "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunBkavFw")"System Configuration""Registry""Windows Task""[FireLion]"(also deletes "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunIEProtection" and triggers the system shutdown)

The virus executable is displayed with a deceiving folder icon.

Last update 21 November 2011

 

TOP