SOHANAD
Nuqel, AutoIt, Imaut, YahLover, Autorun
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
SOHANAD malware has been around since 2006. Its first variant used instant messaging applications to spread to other computers. Later versions incorporated network share propagation and spreading via removable drives.
This family of worms is created using an AutoIt script, a freeware scripting language for Windows. The said script is converted or compiled into a Win32 executable using the UT2EXE tool in order to become the malware's final build.
SOHANAD malware disables the Registry Editor and the Windows Task Manager upon execution. It also modifies the affected user's homepage and terminates certain processes. It can also frequently update itself by downloading a component that contains a list of URLs where SOHANAD may download an updated copy of itself.
TECHNICAL DETAILS
Installation
This worm drops the following files:
- %System%\28463\svchost.001
- %System%\28463\svchost.002
- %System%\28463\svchost.exe
- %System%\autorun.ini
- %System%\dotnetfx.dll
- %System%\setting.ini
- %System%\setup.ini
- %User Temp%\aut1.tmp
- %User Temp%\aut2.tmp
- %User Temp%\log_{Time stamp}.tx
- %Windows%\Tasks\At1.job
- {drive letter}\autorun.inf
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It drops the following copies of itself into the affected system:
- %System%\gphone.exe
- %System%\regsvr.exe
- %System%\svchost .exe
- %Windows%\gphone.exe
- %Windows%\regsvr.exe
- {drive letter}\gphone.exe
- {drive letter}\New Folder .exe
- {drive letter}\New Folder.exe
- {drive letter}\regsvr.exe
- {drive letter}\{foldername}.exe
- {shared folder}\New Folder .exe
- {shared folder}\regsvr.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It creates the following folders:
- %System%\28463
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Yahoo Messengger = "%System%\gphone.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Msn Messsenger = "%System%\regsvr.exe"
It modifies the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe gphone.exe"
(Note: The default value data of the said registry entry is Explorer.exe.)
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
WorkgroupCrawler\Shares
shared = "\{host name}\{shared folder}\New Folder .exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
WorkgroupCrawler\Shares
shared = "\New Folder.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
AtTaskMaxHours = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DotNetRecovery
@ = "A"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NofolderOptions = "0"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NofolderOptions = "1"
It deletes the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
IEProtection = {blank}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
BkavFw = {blank}
Other Details
This worm connects to the following possibly malicious URL:
- http://{BLOCKED}yoga.googlepages.com/setting.ini
- http://{BLOCKED}lgo.googlepages.com/setting.ini
- http://h1.{BLOCKED}y.com/poojasharma1/setting.ini
- http://h1.{BLOCKED}y.com/poojasharma2/setting.ini
- http://{BLOCKED}o.com/setting.doc
- http://{BLOCKED}o.com/setting.xls
- http://{BLOCKED}9.googlepages.com/google.html
- http://{BLOCKED}emotion.googlepages.com/setting.ini
- http://{BLOCKED}atecam.googlepages.com/setting.ini
- http://www.{BLOCKED}o.com/setting.doc
- http://www.{BLOCKED}o.com/setting.xls
- http://{BLOCKED}o.com/setting.doc
- http://{BLOCKED}o.com/setting.xls