Win32/Sohanad [Threat Name] go to Threat

Win32/Sohanad.NGJ [Threat Variant Name]

Category worm
Size 695167 B
Aliases (Kaspersky)
  Worm:Win32/Nuqel.Z (Microsoft)
  W32/YahLover.worm (McAfee)
Short description

Win32/Sohanad.NGJ is a worm that spreads via removable media and IM networks.


When executed the worm copies itself in the following locations:

  • %windir%\­System32\­regsvr.exe
  • %windir%\­regsvr.exe
  • %windir%\­svchost .exe
  • %appdata%\­regsvr.exe

The worm creates the following files:

  • %windir%\­System32\­28463\­svchost.exe (Win32/KeyLogger.Ardamax, 525312 B)
  • %windir%\­System32\­28463\­svchost.001 (2800 B)
  • %windir%\­System32\­setup.ini (96 B)
  • %appdata%\­support\­svchost.exe (Win32/KeyLogger.Ardamax, 525312 B)
  • %appdata%\­support\­svchost.001 (2800 B)
  • %appdata%\­setup.ini (96 B)

The worm executes the following files:

  • %windir%\­System32\­28463\­svchost.exe
  • %appdata%\­support\­svchost.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Msn Messsenger" = "%windir%\­System32\­regsvr.exe"
    • "Yahoo Messsenger" = "%appdata%\­support\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorer.exe regsvr.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Schedule]
    • "AtTaskMaxHours" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NofolderOptions" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 0
    • "DisableRegistryTools" = 1

The worm schedules a task that causes the following file to be executed daily:

  • %windir%\­svchost .exe
Spreading via IM networks

If Yahoo! Messenger is installed on the infected system, the worm sends a message to all Yahoo! Messenger contacts.

The messages may contain any of the following texts:

  • cyber cafe scandal visit %maliciousurl%
  • World Business news broadcaster %maliciousurl%
  • Regular monthly income by wearing your shorts at the comfort of your home for more info %maliciousurl%
  • Nfs carbon download %maliciousurl%
  • Latest video shot of infosys girl %maliciousurl%
  • stream Video of Nayanthara and Simbu %maliciousurl%
  • Aishwarya Rai videos %maliciousurl%
  • Free mobile games %maliciousurl%
  • Nse going to crash for more %maliciousurl%

If the link is clicked a copy of the worm is downloaded.


The worm copies itself into existing folders of removable drives.

The name of the file may be based on the name of an existing file or folder. The extension of the file is " .exe" .

It also copies itself into the root folders of removable drives.

The following filename is used:

  • %drive%\­New Folder .exe
  • %drive%\­regsvr.exe

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

The worm tries to copy itself to the available shared network folders.

Other information

The worm terminates any program that creates a window containing any of the following strings in its name:

  • Bkav2006
  • System Configuration
  • Registry
  • Windows mask
  • [FireLion]

The following programs are terminated:

  • game_y.exe
  • cmder.exe

The following Registry entries are deleted:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "BkavFw"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "IEProtection"

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • shut down/restart the computer
  • log keystrokes
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.