Worm:Win32/Sohanad.DX is a worm that may spread by sending messages to a user's Yahoo! Messenger contacts. It also spreads via removable and shared drives. It can terminate certain processes, modify certain system settings, and close certain windows such as those related to registry editing and the Task Manager.
Installation
Worm:Win32/Sohanad.DX drops the following files:
- <system folder>\svrchost.exe - copy of itself with read-only, system, and hidden attributes
- <system folder>\autorun.ini - initialization file, which is programmed to run the worm copy in the system folder
- %windir%\svrchost.exe - copy of itself
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It modifies the system registry so that its copies automatically run every time Windows starts:
Adds value: "Shell"
With data: "Explorer.exe svrchost.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "MSN Messengger"
With data: "<system folder>\svrchost.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads via...
Yahoo! Messenger
If Yahoo! Messenger is installed and a user is logged in, every 30 minutes Worm:Win32/Sohanad.DX attempts to send one of the following messages to all the user's contacts:
"Ha ha ha click on link to laugh ..."
"i am busy you click on a link and see ..."
"nice one see this .... "
"nice to listen .........."
"see this comedy joke click on this link "
"what a joke ......"
"what a joke .....click to see "
"what is this ? ......see "
followed by a specially crafted URL that is possibly a copy of itself. The messages may change as the worm tries to update them every two hours by downloading new ones from the Web site 'nhatquanglan3.t35.com'.
Removable and shared drives
Worm:Win32/Sohanad.DX drops the following files in the root folders of all shared and removable drives:
- New Games.exe - copy of itself
- autorun.inf - initialization file programmed to automatically run the worm copy when the drive is accessed and if Autorun is enabled
It also creates the following registry entry so that its copy is shared:
Adds value: "shared"
With data: "\New Games.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
For shared drives it also tries to copy itself in all folders with <Folder Name>.exe, for example, 'F:\Sample folder\Sample folder.exe'.
Payload
Modifies system settings
Worm:Win32/Sohanad.DX changes certain system settings:
- Removes the 'Folders Options' menu from the 'Tools' menu in Windows Explorer:
Adds value: "NofolderOptions"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- Hides the 'Show hidden files and folders' option in the 'Folders Options' menu in Windows Explorer:
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- Disables Task Manager:
Adds value: "DisableTaskMgr"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- Disables registry editing tools:
Adds value: "DisableRegistryTools"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Terminates processes and closes windows
Worm:Win32/Sohanad.DX attempts to terminate the process 'Indian_Game.exe'. if found.
It also closes all windows with any of the following strings in their title bars:
cmd.exe
Registry
System Configuration
Windows Task
Analysis by Marian Radu
