arrow_back
search
close

WORM_SOHANAD.VB

August 13, 2013
 ALIASES:

W32/Sohanad.A!worm.im (Fortinet), Worm.Win32.AutoRun.dtbv (Kaspersky), Worm:Win32/Nuqel.Z (Microsoft), W32/Yahlover.worm (NAI)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

617,473 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

01 Aug 2013

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %Windows%\regsvr.exe
  • %System%\svchost.exe
  • %System%\regsvr.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

Other System Modifications

This worm adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NofolderOptions = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Msn Messenger = "%System%\regsvr.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
AtTaskMaxHours = "0"

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe regsvr.exe"

(Note: The default value data of the said registry entry is "Explorer.exe".)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
NextAtJobId = "2"

(Note: The default value data of the said registry entry is "1".)

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • {Removable Drive Letter}:\New Folder.exe
  • {Removable Drive Letter}:\regsvr.exe

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Dropping Routine

This worm drops the following files:

  • %Windows%\Tasks\At1.job
  • {Removable Drive Letter}:\autorun.inf
  • %System%\setup.ini
  • %System%\setting.ini

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %System% is the Windows system folder, which is usually C:\Windows\System32.)