My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


~18 KBytes
(W32.Shoho-A, W32.Shoho@mm, I-Worm.Welyah)


- File winl0g0n.exe in Windows and Windows System directory
- The following keys in registry: "HK CU\Software\Microsoft\Windows\CurrentVersion\Run\Winl0g0n.exe" with value "%WINDIR%\Winl0g0n.exe" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winl0g0n.exe" with the same value.

Removal instructions:

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Make the following changes in the windows registry:

    Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

    1. Select Run... from Start, then type regedit and press Enter;

    2. Delete the following key:

  4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Shoho.A@mm.

Analyzed By

Sorin Victor Dudea BitDefender Virus Researcher

Technical Description:

It arrives in the following format:

Subject: Welcome to Yahoo!
Attachment: Readme.txt many spaces .pif

The worm uses the Iframe vulnerability for spreading when user is previewing the e-mail. A patch and more details for this vulnerability can be found at:

After the virus is executed it will copies itself as Winl0g0n.exe in Windows and Windows System directory.

Then it adds the following registry keys: " HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Winl0g0n.exe" with value "%WINDIR%\Winl0g0n.exe" and "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winl0g0n.exe" with the same value.

After that it scans on Hard Disk for files with the following extensions: Eml, wab, dbx, mbx, xls, xlt, mdb, .sys and it searches in those files for e-mail addresses.

For sending itself to those addresses the worm uses the users SMTP server, or if it can’t find that server it uses a server that is hard coded in it’s body.

After restart the worm tries to delete the files from Windows and Windows System directory.