trojan.Generic.1828131

( W32.Autorun.worm.cs, Trojan.Win32.Autoit.ci, Win32.Worm.Sohanad.NBN )
Spreading: medium
Damage: medium
Size: 616.609
Discovered: 2009 May 31

SYMPTOMS:

- presence of %windir%\regsvr.exe
- presence of %windir%\system32\regsvr.exe
- presence of %windir%\system32\svchost .exe
- presence of the registry mentioned below
- computer slows down
- task manager disabled
- registry tools disabled

TECHNICAL DESCRIPTION:

This worm perform the following action upon execution:
- make a copy of itself inside %windir% folder, as “regsvr.exe”
- make a copy of itself inside %windir%\system32 folder, as “regsvr.exe”
- make a copy of itself inside %windir%\system32 folder, as “svchost .exe”
- register itself at startup in many places, by adding the registry values:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run : “Msn Messsenger” -> “c:\Windows\System32\regsvr.exe”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell  -> “regsvr.exe”.
- disables the task manager, registry tools and folder options by settings next registry keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:
"DisableTaskMgr" ->"0";
"DisableRegistryTools" ->"0"; HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:
"NofolderOptions" ->"0";
- creates a schedule, using windows AT command schedule, for runnig “%windir%\System32\svchost .exe”(a copy of malware)  every day at 09:00AM. It also removes the limit on how long scheduled tasks are active by setting the key HKLM\SYSTEM\CurrentControlSet\Services\Schedule:
"AtTaskMaxHours"->"0".  
- disables Internet Explorer to start in offline mode by setting the registry HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings:
 "GlobalUserOffline"-> "0"
- creates the following registry entry so that its copy is shared HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares: "shared"->"\New folder.exe".  If it finds any shared drivers, it copy itself on the under name “New folder.exe.”

- it spread itself via shared drives, removable drives and yahoo messenger.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

George Cabau, virus researcher