Worm:Win32/Sohanad.V is an AutoIT worm that spreads through mapped drives and instant messenger applications. It deletes all previously scheduled jobs and creates other registry settings on the computer. It connects to a certain Web site to download a file.
Installation
When executed, Worm:Win32/Sohanad.V copies itself as the following files:
- %windows%\regsvr.exe
- <system folder>\regsvr.exe (with the attributes Hidden and System)
- <system folder>\winhelp.exe (with the attributes Hidden and System)
It also drops the file "<system folder>\setup.ini".
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Worm:Win32/Sohanad.V modifies the system registry so that its dropped copies run every time Windows starts:
Adds value: "Yahoo Messengger"
With data: "<system folder>\regsvr.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Worm:Win32/Sohanad.V also creates a scheduled job with the following command to run its copy "winhelp.exe" every day at 09:00:
<system folder>\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <system folder>\winhelp.exe
Spreads via...
Mapped drives
Worm:Win32/Sohanad.V can spread to other mapped drives, such as network shares and removable drives. It drops a copy of itself in mapped drives as the following:
To ensure that its dropped copies run when the drive is accessed, it also drops a file with the name "autorun.inf". This dropped file runs the worm copy "regsvr.exe" when the drive is accessed and Autorun is enabled.
Worm:Win32/Sohanad.V also creates the following registry entry to ensure that its dropped copy is shared within the network:
Adds value: "shared"
With data: "\new folder.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
Payload
Modifies computer settings
Worm:Win32/Sohanad.V deletes all scheduled jobs by running the following command:
<system folder>\cmd.exe /C AT /delete /yes
It also creates the following registry entries:
Adds value: "NofolderOptions"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Adds value: "DisableTaskMgr"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Adds value: "AtTaskMaxHours"
With data: "0"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule
Worm:Win32/Sohanad.V also creates the following registry entry:
Modifies value: "Shell"
From data (default value): "explorer.exe"
To data: "explorer.exe rundll.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The file "rundll.exe" may refer to a file that is later dropped or downloaded into the system. A legitimate Windows file with an identical name is present in computers running Windows ME and earlier. However, in later versions of Windows this file no longer exists by default.
Downloads files
Worm:Win32/Sohanad.V attempts to connect to the Web server "crackspider.net" to download a file named "setting.doc".
Analysis by Wei Li
