My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Worm.Sohanat.Z

HIGH
MEDIUM
~200 KB
(Worm.TermX)

Symptoms

            Homepage of Internet Explorer is set to the virus location. Homepage can not be set to a different page, as the virus disabled this possibility.

            Task Manager, Regedit and Run from Start Menu are disabled.

            Friends in your Yahoo Messenger list asking why do you sent that link after they got infected too.

Removal instructions:

Please let BitDefender disinfect your computer.

Analyzed By

Mihai Cimpoesu, Virus Researcher

Technical Description:

        It searches to see if a file named bitdefender.exe exists in Windows directory, and if it can't find one, it downloads o copy of itself or a new variant of itself and places it in %WINDIR%

        It makes sure it will be launched every time the computer starts by modifying the key :
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Task Manager"

        It also sets a link to itself as a homepage for internet explorer
"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Home page"


       Modified the following settings for the system and Internet Explorer :

"HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\DefaultSearchURL"
"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page"
"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar"
"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl"

are set to a link to the virus itself

"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestore\DisableConfig"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"

are set to value 1 disabling these settings


"HKEY_CURRENT_USER\Software\Google\GoogleToolbarNotifier\ShowTrayIcon"
"HKEY_CURRENT_USER\Software\Google\GoogleToolbarNotifier\KeepDS"
"HKEY_CURRENT_USER\Software\Google\GoogleToolbarNotifier\ShowTrayIcon"

are set to value 0 disabling these settings      
       

"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Search Asst"
is set to value "no" also disabling the search assistant

          It spreads itself through Yahoo Messenger chat client using it's clever social engineering skills convincing people to click on links sent with various purposes infecting themselves. It sends itself to the whole Address Books of this popular chat client.