Win32/Sohanad [Threat Name] go to Threat

Win32/Sohanad.AS [Threat Variant Name]

Category worm
Size 1544192 B
Detection created Aug 13, 2008
Detection database version 3353
Aliases Worm:Win32/Nuqel.BF (Microsoft)
  W32.Blastclan (Symantec) (Kaspersky)
Short description

Win32/Sohanad.AS is a worm that spreads via removable media, shared folders and IM.


When executed the worm copies itself in the following locations:

  • %windir%\­SCVVHSOT.exe
  • %system%\­SCVVHSOT.exe
  • %system%\­blastclnnn.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorer.exe SCVVHSOT.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Yahoo Messengger" = "%system%\­SCVVHSOT.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NofolderOptions"=1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Schedule]
    • "AtTaskMaxHours" = 0

The worm executes the following commands:

  • AT /delete /yes
  • AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %system%\­blastclnnn.exe

The worm creates the following file:

  • %system%\­autorun.ini (103 B)
Spreading on removable media

Win32/Sohanad.AS is a worm that spreads via removable media.

The worm copies itself into the root folders of removable drives using the following names:

  • New Folder.exe
  • SCVVHSOT.exe

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

The worm copies itself into existing folders of removable drives.

The file name and extension of the newly created file is derived from the original one.

Spreading via shared folders

The worm tries to copy itself to the available shared network folders.

The worm creates the following files:

  • %sharedfolder%\­autorun.inf
  • %sharedfolder%\­New Folder.exe
  • %sharedfolder%\­SCVVHSOT.exe

The worm copies itself into the existing subfolders also.

The name of the new file is based on the name of the folder found in the search.

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­WorkgroupCrawler\­Shares]
    • "shared" = "%sharedfolder%\­New Folder.exe"
Spreading via IM networks

Win32/Sohanad.AS is a worm that spreads via IM networks.

The worm sends links to Yahoo! Messenger users.

The messages may contain any of the following texts:

  • E may, vao day coi co con nho nay ngon lam %malwareurl%
  • Vao day nghe bai nay di ban %malwareurl%
  • Biet tin gi chua, vao day coi di %malwareurl%
  • Trang Web nay coi cung hay, vao coi thu di %malwareurl%
  • Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau t %malwareurl%
  • Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may ba %malwareurl%
  • Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi %malwareurl%
  • Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... %malwareurl%
  • Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio da %malwareurl%

If the link is clicked a copy of the worm is downloaded.

Other information

The worm terminates any program that creates a window containing any of the following strings in its name:

  • Bkav2006
  • [FireLion]
    • Registry
    • Windows Task
    • System Configuration
    • cmd.exe

The worm terminates processes with any of the following strings in the path:

  • game_y.exe

The worm may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
  • "IEProtection"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
  • "BkavFw"

The worm may perform operating system restart.

The worm contains a list of (4) URLs. The worm may attempt to download files from the Internet.

These are stored in the following locations:

  • %system%\­%variable%

The files are then executed. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.