My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Sohanad.NBM

MEDIUM
MEDIUM
615 kbytes
(W32.Autorun.worm.cs, Trojan.Win32.Autoit.ci )

Symptoms

- presence of %windir%\regsvr.exe
- presence of %windir%\system32\regsvr.exe
- presence of %windir%\system32\svchost .exe
- presence of the registry mentioned below
- computer slows down
- task manager disabled
- registry tools disabled

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

George Cabau, virus researcher

Technical Description:

This worm performs the following actions upon execution:
- make a copy of itself inside %windir% folder as “regsvr.exe”
- make a copy of itself inside %windir%\system32 folder as “regsvr.exe”
- make a copy of itself inside %windir%\system32 folder as “svchost .exe”
- register itself at startup in many places by adding the following registry values:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run : “Msn Messsenger” -> “c:\Windows\System32\regsvr.exe”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell  -> “regsvr.exe”
- disables task manager, registry tools and folder options by settings the next registry keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:
"DisableTaskMgr" ->"0";
"DisableRegistryTools" ->"0";
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:
"NofolderOptions" ->"0";
- creates a scheduled task using windows AT command in order to run “%windir%\System32\svchost .exe”(a copy of the malware)  every day at 09:00AM. It also removes the limit on how long scheduled tasks are active by setting the key HKLM\SYSTEM\CurrentControlSet\Services\Schedule:
"AtTaskMaxHours"->"0".  
- disables Internet Explorer to start in offline mode by setting the registry HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings:
 "GlobalUserOffline"-> "0"
- creates the following registry entry so that its copy is shared HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares: "shared"->"\New folder.exe".  If it finds any shared drives, it copies itself under the name “New folder.exe.”

- it spread itself via shared drives, removable drives and yahoo messenger.