My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Sohanad.NAW

MEDIUM
MEDIUM
variable
(Virus:Win32/Sality.AH W32.Blastclan W32/Kashu.A)

Symptoms

The presence of the files and registry entries mentioned below;
Computer slow downs;

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

George Cabau, virus researcher

Technical Description:

This malware has a folder-like icon, in order to trick the user to double-cluck it.

After run the malware performs the followings actions:

-creates a mutex named "_kkiuynbvnbrev406" in order to avoid running duplicate instances.
- drop in  “%WINDIR%\System32” directory a dll file named “wd273296.dll”,and a packed copy of this dll under the name “wd273296.dl_”.
- Creates  a copy of itself under the name “SCVVHOST.exe” in “%WINDIR%\System32” and “%WINDIR%” directories.
- Creates  a copy of itself under the name “blastclnnn.exe” in “%WINDIR%\System32”.
- It registers "%WINDIR%\System32\SCVVHOST.exe" at system startup by modifying the default shell to“explorer.exe SCVVHOST.exe”, and also by creating a new entry under “HKLM\Software\Microsoft\Windows\CurrentVersion\Run”  named “Yahoo Messengger” pointing to the same executable.
- For protecting itself it disables the registry tools and the Task manager and modifies other security settings.
- Deletes all schedule tasks and creates a new task for running the copy of malware located in “%WINDIR%\System32 blastclnnn.exe”.
- Drops a driver named “[random-name].sys” in “c:\Windows\system32\drivers\” and uses it to disable some antivirus software.
- Attempts to share a copy of itself named “New Folder.exe” on the local network
- It has the functionality required for downloading other malware files from the internet.