SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Sohanad.NEZ

LOW
LOW
584 KB
(Trojan-Downloader.Win32.AutoIt.jj, W32/Autorun.worm.bz.gen)

Symptoms

- strange start, home and search pages in internet explorer
- disabled registry tools
- disabled task manager
- disabled folder options
- copies itself in:
    "%sysdir%\SSVICHOSST.EXE"/"%desktopdir%\SSVICHOSST.EXE"
    "%windir%\SSVICHOSST.EXE"

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Bogdan Sachelarie, virus researcher

Technical Description:

Once executed, it does the following:
    - copies itself in the above mentioned paths
    - modifies the following registry keys:

  • "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"->"Explorer.exe SSVICHOSST.EXE"
  • "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger"->"SSVICHOSST.EXE"
  • "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions"->"1"
  • "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"->"1"
  • "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"->"1"
  • "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours"->"0"
  • "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL"->"http://rnd009.googlepages.com/google.html"
  • "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main, Default_Search_URL"->"http://rnd009.googlepages.com/google.html"
  • "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page"->"http://rnd009.googlepages.com/google.html"
  • "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page"->"http://rnd009.googlepages.com/google.html"
  • "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage"->"1"
  • "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page"->"http://rnd009.googlepages.com/google.html"

    - it deletes all current scheduled tasks, and introduces a new daily task which runs the virus
    - it creates an "autorun.ini" file in "%sysdir%" / "%desktopdir%", which points to the hidden virus copy located in the same folder
    - it downloads a "settings.ini" file from "http://rnd009.t35.com" in "%sysdir%" / "%desktopdir%"
    - it fetches a list of files to download

from "settings.ini" and it runs them
    - it sends messages to the user's contacts in yahoo messenger, messages fetched from the "settings.ini" file, or predefined ones which include malicious url-s, through which the malware spreads.
    - it infects removable drives, network shared folders with copies named "New Folder.exe" and adds "autorun.inf" so that the system automatically executes them on activation or browsing
    - if found, it tries to kill the following processes:

  • "game_y.exe"
  • "cmd.exe"

    - if found, it tries to close the following windows:

  • "Bkav2006" (also deletes "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BkavFw")
  • "System Configuration"
  • "Registry"
  • "Windows Task"
  • "[FireLion]"(also deletes "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IEProtection" and triggers the system shutdown)


The virus executable is displayed with a deceiving folder icon.

Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources