My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Sohanad.NBN

MEDIUM
MEDIUM
602 KB
(W32.Imaut, W32/Autorun.worm.cs, Worm/Autoit.XJ, AutoIt:AutoRun-B2, IM-Worm:W32/Sohanad.HM)

Symptoms

Presence of the following files:
%windir%\regsvr.exe
%windir%\system32\regsvr.exe
%windir%\system32\svchost .exe
%windir%\system32\setup.ini


Presence of regsvr.exe as an active process, using a lot of the CPU

On removable storages: presence of the following files:
\NewFolder.exe
\regsvr.exe
\autorun.inf

Removal instructions:

Kill the process regsvr.exe
Delete the following files:
%windir%\regsvr.exe
%windir%\system32\regsvr.exe
%windir%\system32\svchost .exe
%windir%\system32\setup.ini


Clear the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared set to ""
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools set to 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr set to 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions set to 0

erase all the files the worm has created on your removable media

Please let BitDefender disinfect your files.

Analyzed By

Tudor Bura, virus researcher

Technical Description:

This worm is received as a 617343 Byte-file, having a Folder icon, in order to get the user to execute it.
Upon execution this worm file will copy itself as the following files:
%windir%\regsvr.exe
%windir%\system32\regsvr.exe
%windir%\system32\svchost .exe

The files are hidden, and they also have a Directory icon.

The worm also creates the file %windir%\system32\setup.ini, which will be copied as autorun.inf on any removable media that will be connected to the system. That will ensure the worm will be executed on any system on which we connect the removable media
[Autorun]
Open=regsvr.exe
Shellexecute=regsvr.exe
Shell\Open\command=regsvr.exe
Shell=Open

Also the worm will copy itself in every directory of any connected removable media as <DirName> .exe and have a folder icon.

The worm will add a task in at.exe that will run C:\windows\system32\svchost .exe every day at 9:00 AM. It will also remove the duration limit on the scheduled tasks by setting the following key HKLM\System\CurrentControlSet\Services\Schedule\AtTaskMaxHours to 0

Registry modifications:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared will be set to: "\New Folder .exe" -> tries to add itself to the shared folders of the system
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline will be set to 0 -> the user won't be able to open Internet Explorer in offline mode
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable and HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable will be set to 0 to disable the proxy server
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools will be set to 1 to disable regedit
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr will be set to 0 - maybe the worm wants to disable the task manager, but in order to do that, it must set this value to 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions will be set to 0 - maybe the worm wants to disable folder options, but in order to do that, it must set this value to 1