Installation
Worm:Win32/Sohanad.AN copies itself to the following locations:
The malware changes the following registry entries so that it runs each time you start your PC:
Sets value: "Shell"
With data: "explorer.exe regsvr.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The malware creates the following files on your PC:
The malware tries to create a scheduled Windows task that runs the worm at 09:00 am every day of the week, by running the following Windows shell command instruction:
cmd.exe /C AT /delete /yes
cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <system folder>\svchost .exe
Spreads via…
Malware in the Win32/Sohanad family can use a number of messaging applications to spread itself, including Yahoo Messenger, AIM, Windows Messenger, and Google Talk. It sends a message to all of your contacts with a link to a copy of itself.
Network shares
Some variants of Win32/Sohanad also try to spread through network shares by querying the following registry entry and copying themselves to any shared folders specified by this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
Payload
Changes system settings
Worm:Win32/Sohanad.AN overrides the timeout period so that scheduled tasks aren't stopped after a timeout. It does this by making the following registry change:
Sets value:
"AtTaskMaxHours"With data:
"0"In subkey:
HKLM\SYSTEM\CurrentControlSet\Services\Schedule
Contacts remote host
The malware can contact a remote host at yahoo.com using port 80. Commonly, malware does this to:
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 35ec8d55d48be9a3e257c0c8678bfec16433c556.
