WORM_SOHANAD.MSM
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Propagates via removable drives
This worm arrives by connecting affected removable drives to a system. It may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.
It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.
TECHNICAL DETAILS
157,953 bytes
EXE
Yes
04 Apr 2011
Arrival Details
This worm arrives by connecting affected removable drives to a system.
It may be downloaded by other malware/grayware/spyware from remote sites.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This worm drops the following copies of itself into the affected system:
- %Windows%\Network-IPv6\network.exe
- %Windows%\astry.exe
- %Windows%\scvhost.exe
- %Windows%\Network-IPv6\network.exe
- %System%\scvhost.exe
- %User Profile%\winlogon.exe
- %User Profile%\system.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
It creates the following folders with attributes set to System and Hidden to prevent users from discovering and removing its components:
- {removable drive}\astry
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
UserLogon = %UserProfile%\winlogon.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Network IPv6 = %WINDOWS%\Network-IPv6\network.exe
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Tips
50 = Iloveu astry and never forget you
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableRegistryTools = 0
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableRegedit = 0
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableTaskMgr = 0
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
NOHIDDEN
HKeyRoot = 1010
(Note: The default value data of the said registry entry is dword:80000001.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
Text = Akan gue ingat semua
(Note: The default value data of the said registry entry is @shell32.dll,-30500.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
DefaultValue = 1
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
HKeyRoot = 1018
(Note: The default value data of the said registry entry is dword:80000001.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\HideFileExt
Type =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\HideFileExt
Text = Lo dugem terus
(Note: The default value data of the said registry entry is @shell32.dll,-30503.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\NetCrawler
Text = Terlalu banyak nuntut
(Note: The default value data of the said registry entry is @shell32.dll,-30509.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\PersistBrowsers
Text = Lo gak romantis
(Note: The default value data of the said registry entry is @shell32.dll,-30513.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\ShowCompColor
Text = Otak lo mesum
(Note: The default value data of the said registry entry is @shell32.dll,-30512.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\ShowFullPath
Text = Lo bego
(Note: The default value data of the said registry entry is @shell32.dll,-30504.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\ShowFullPathAddress
Text = Gue pandang2x lo jelek
(Note: The default value data of the said registry entry is @shell32.dll,-30505.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\ShowInfoTip
Text = Jarang jajan
(Note: The default value data of the said registry entry is @shell32.dll,-30502.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\SimpleSharing
Text = Gak punya mobil
(Note: The default value data of the said registry entry is @shell32.dll,-30518.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\SuperHidden
Text = gue ada pacar baru
(Note: The default value data of the said registry entry is @shell32.dll,-30508.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Thickets
Text = Hidup bersama lo :
(Note: The default value data of the said registry entry is Managing pairs of Web pages and folders.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Thickets
Bitmap = C:\WINDOWS\SYSTEM32\SHELL32.DLL,29
(Note: The default value data of the said registry entry is C:\WINDOWS\System32\SHELL32.DLL,4.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Thickets\
AUTO
Text = Bakalan susah
(Note: The default value data of the said registry entry is Show and manage the pair as a single file.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Thickets\
NOHIDE
Text = Biasa aza
(Note: The default value data of the said registry entry is Show both parts but manage as a single file.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Thickets\
NONE
Text = Bakalan senang
(Note: The default value data of the said registry entry is Show both parts and manage them individually.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\WebViewBarricade
Text = Gue masih cinta lo
(Note: The default value data of the said registry entry is @shell32.dll,-30510.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = explorer.exe, scvhost.exe
(Note: The default value data of the said registry entry is Explorer.exe.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = C:\WINDOWS\system32\userinit.exe,
(Note: The default value data of the said registry entry is C:\WINDOWS\system32\Userinit.exe,scvhost.exe.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder
Text = Gue pikir2x lo itu:
(Note: The default value data of the said registry entry is @shell32.dll,-30498.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\ClassicViewState
Text = Adik lo banyak
(Note: The default value data of the said registry entry is @shell32.dll,-30506.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\ControlPanelInMyComputer
Text = Pacar lo Banyak
(Note: The default value data of the said registry entry is @shell32.dll,-30497.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\DesktopProcess
Text = Kurang taat ibadah
(Note: The default value data of the said registry entry is @shell32.dll,-30507.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\DisableThumbCache
Text = Sok tau
(Note: The default value data of the said registry entry is @shell32.dll,-30517.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\FolderSizeTip
Text = Babe lo galak
(Note: The default value data of the said registry entry is @shell32.dll,-30514.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\FriendlyTree
Text = Gue kangen berat
(Note: The default value data of the said registry entry is @shell32.dll,-30511.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\FriendlyTree
CheckedValue = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden
Text = Semua tentang lo :
(Note: The default value data of the said registry entry is @shell32.dll,-30499.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
NOHIDDEN
Text = Akan gue lupakan semua
(Note: The default value data of the said registry entry is @shell32.dll,-30501.)
Propagation
This worm drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.
NOTES:
It replaces all values in the entries of the following registry to "Iloveu astry and never forget you:"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Tips