Worm:Win32/Sohanad.AS is a worm that spreads via mapped network drives. It changes certain system settings and may terminate processes.
Installation
When executed, Worm:AutoIT/Sohonad.DP creates multiple copies of itself in the following locations:
- %SystemDrive%\KHATRA.exe
- %windir%\Xplorer.exe
- %windir%\system\gHost.exe
- <system folder>\KHATRA.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also creates a shortcut to one of its dropped copies in the following folder:
<startup folder>\(Empty).LNK - points to %SystemDrive%\KHATRA.exe
Note - <startup folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Startup folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu\Programs\Startup'. For Windows Vista, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'.
It also modifies the system registry so that its dropped copies run every time Windows starts:
Adds value: "G_Host"
With data: ""%windir%\system\gHost.exe" /Reproduce"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Adds value: "Xplorer"
With data: "<system folder>\KHATRA.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Adds value: "Taskman"
With data: "<system folder>\KHATRA.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "Xplorer"
With data: ""%windir%\Xplorer.exe" /Windows"
To subkey: HKLM\SOFTWARE\KHATRA\Startup_List
Adds value: "load"
With data: "<system folder>\KHATRA.exe"
To subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
It also creates the following subkeys and entries as part of its installation process:
Adds value: "NoUnsafeTypeCautionForSCR"
With data: "1"
Adds value: "NoUnsafeTypeCautionForEXE"
With data: "1"
To subkey: HKCU\Software\Nico Mak Computing\WinZip\caution
Spreads Via...
Logical Drives
Worm:Win32/Sohanad.AS enumerates all drives in the affected system and copies the following files in the root of all writeable drives:
- KHATRA.EXE - worm copy
- \inf\autorun.inf - INF file that enables the worm copy to automatically run when the drive is accessed and if Autorun is enabled
Payload
Modifies System Settings
Win32/Sohanad.AS modifies the system registry to change the way certain processes are run or displayed:
- Prevents the user from starting or accessing Control Panel, or run any Control Panel programs:
Adds value: "NoControlPanel"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
- Disables Registry Tools such as Regedit:
Adds value: "DisableRegistryTools"
With data: "dword:00000001"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- Changes the way hidden files are displayed in the system:
Adds value: "CheckedValue"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
Adds value: "Hidden"
With data: "dword:00000000"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Changes the system's Autorun settings:
Adds value: "NoDriveTypeAutoRun"
With data: "dword:000000ff"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Terminates Processes
Worm:Win32/Sohanad.AS tries to terminate several tools, such as Process Explorer.
Changes Internet Explorer Settings
Worm:Win32/Sohanad.AS changes the Internet Explorer window from its current value to "Internet Exploiter".
Additional Information
This worm includes the following strings in its code:
# Stop people from watching porn sites on the internet
# <removed> IT ALL! <removed> THIS WORLD!, <removed> EVERYTHING THAT YOU STAND FOR!, DON'T BELONG! DON'T EXIST!, DON'T GIVE A <removed>!, DON'T EVER JUDGE ME!
# Mcafee sucks
# Say NO to drugs
# Never trust an unknown person in social networking sites
# Stop this Asshole 'Nhatquanglan' AKA 'Phuong anh' from creating Malwares.
# Anti virus researchers after cracking AutoIt Malwares name them after 'AutoIt' which makes malware authors easy to identify an AutoIt malware and decompile them with a decompiler [which is easily available to everyone] and use the source code for their own malicious purposes. Most of the AutoIt Malwares have the same source code of the other AutoIt Malwares. That's the reason why some of the Malware authors prefer AutoIt.
# <removed> You [Malware Authors] if you are doing this [creating Malwares] and continue to do this.
Analysis by Francis Allan Tan Seng
