Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: IM-Worm:W32/Sohanad
[Summary] | [Detailed Description]

Name : IM-Worm:W32/Sohanad
Alias:Sohanad, IM-Worm.Win32.Sohanad
Type:IM-Worm
Category:Malware
Platform:W32
Radar

Summary
IM-Worm:W32/Sohanad is a family of worms that spread via instant messaging software, primarily Yahoo Messenger.
Back to the Top

Detailed Description
Sohanad variants were first encountered in late 2006 targeting Vietnamese users of Yahoo Messenger. Not all later variants have their roots in Vietnam, but Sohanad variants are still largely written by and target Vietnamese Internet users. Sohanad variants are written with AutoIt scripting language.

When a Sohanad detects that Yahoo Messenger is running, it sends a message to the people on the victim's contacts list.

The message includes a URL that direct to a location containing a copy of the worm. Once the recipient of the message clicks on the link, he ends up downloading the worm.

The messages themselves use varying types and levels of social engineering to appear interesting to potential victims. Some variants also use other Instant Messengers in addition to Yahoo Messenger to spread themselves such as AIM, Windows Live Messanger, or Windows Messanger.

The following are some of the English messages used by Sohanad variants:

  • oh my god , i've won a 20000 usd lottery :O
    http://lottery-news.info/?id=winning_list . Come to my house tonight for a party !! >:D<
  • Images shot in Iraq _ The war will never end
    http://thecoolpics.com/Iraqwar.jpg << :(
  • :D who is beside you in this pic
    http://thecoolpics.com/friendpic1.jpg so good-looking
  • Screenshot of new windows version _ Windows Vista
    http://thecoolpics.com/vista.jpg so cool :D

The file names are not actually part of the URL, but are just included in the messages to make them appear more legitimate.

The worm copies itself somewhere on the system under a name that is meant to be inconspicuous. Examples:

  • %windir%\system32\Microsoft\svhost32.exe
  • %windir%\system32\Microsoft\rvhost.exe

Note: %windir% represents the system's Windows folder.

Sohanad variants also create a registry entry that executes the worm at startup. Typically Sohanads also modify the registry to disable task manager and registry tools. Examples:

  • # HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
    DisableTaskMgr = 00000001
  • # HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
    DisableRegistryTools = 00000001

Members of the Sohanad family often try to end other processes, usually antivirus or other security software. Other possible targets include Windows
Task Manager and Registry Editor. Some Sohanads are also able to change the Internet Explorer home page, download other malware, or spread as an
AutoRun worm.
Back to the Top



F-Secure Corporation

Last Modified: February 19, 2008