My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Worm.IM.Agent.G

HIGH
LOW
~240KB
(Win32.Worm.Sohanad)

Symptoms

Presence of file "SSVICHOSST.EXE" in %SYSTEM% and %WINDIR%.

Disables TaskManager, Registry Tools and modifies Folder options.

New registry keys:
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger"

New entry in TaskScheduler.

Removal instructions:

Please let BitDefender delete the infected files.

Analyzed By

Marius TIVADAR, virus researcher

Technical Description:

Once you have got this worm, it will copy itself in %WINDIR% and %SYSTEM% as "ssvichosst.exe", and it will make sure that it is executed when you restart the computer by adding itself to registry in different places.

First important action this worm is going to do, is updating itself. For this to happen, it will contact "http://nhatquan[...].com" and it will download a settings file. That file instructs it, where new versions of worm are located, and to download and execute them.

Notice that this worm could be the host for other trojans too, downloading and executing them. After update process, this worm will try to spread itself (the main activity). It will search for the opened "Yahoo! Messenger" window, and will choose random contacts, then will take control over Yahoo! Messenger to send messages without your permision. This version of worm will not attack other messenger clients. Messages sent to contacts, are chosen randomly from a set retreived from settings file downloaded int the first step. Language is Vietnamese usually.

Your contacts that will receive this, are instructed to click the link, and download a file. Of course, the file is the worm itself.

Message example:
"Trang Web nay coi cung hay, vao coi thu di http://nhatquang[...]atch.com"


Another spreading mechanism, is that this worm will try to copy itself in all network shares and connected removable devices.

Will also try to disable some protection mechanisms.