My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


464 KB
(Worm:Win32/Sohonad, W32/YahLover.worm.gen, W32.Imaut.N)


The following files will be found on an infected computer:

The following file will be found on infected removable storages:
     \New Folder.exe

Other symptoms: disabled Task Manager, disabled Registry Editor

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Roxana Gherle, virus researcher

Technical Description:

Trojan.AutoIt.TD is an AutoIt compiled script, which has a folder icon in order to trigger the user to execute it. Upon execution it will perform the following malicious actions:

- creates the following two copies of itself:
    C:\Windows\RVHOST.exe - with folder icon
    C:\Windows\system32\RVHOST.exe - hidden file

- adds the following registry keys in order to be run at every system startup:
    Name: Yahoo Messengger
    Value: C:\Windows\system32\RVHOST.exe

    Name: Shell
    Value: Explorer.exe RVHOST.exe

- spreads via Yahoo! Messenger by sending messages triggering users to click on the link http://nhattroun[removed]

- deletes all schduled tasks using the following command line:
    cmd.exe /C AT /delete /yes
and then creates its own sheduled task using the following command:
    cmd.exe /C AT 09.00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
which will be used to run one of the copy of the malware every day at 9 am.
- tries to download the following files on user's computer

- copies itself on all removable devices connected to the infected computer under the name \NewFolder.exe

- copies itself as a shared resource on the network and adds the following registry key:
    Name: shared
    Value: \NewFolder.exe

- modifies the following registry keys:
    NofolderOptions = 0x00000000 - disable the access to Tools | Folder Options in Windows Explorer

    DisableRegistryTools = 0x00000001 - disable registry tools         
    DisableTaskMgr = 0x00000001 - disable task manager