F-Secure Virus Descriptions : Shoho
<Alias> Welyah, I-Worm.Welyah, W32/Shoho@mm
Shoho is an e-mail worm that spreads by sending itself from an
infected system as an e-mail attachment. The worm also can send
out other files (steal information) and pefrorm destructive
actions. The worm was discovered in-the-wild in the end of
December 2001.
The worm itself is a Windows PE EXE file about 108K in length,
written in Visual Basic 6. The worm's code is not compressed or
encrypted.
When an infected file is run (when a user clicks on an attached
file, or if the worm gets control through an I-FRAME security
breach), the worm's code takes control. First of all, the worm
installs its components to a system and registers them in the
system registry.
While installing, the worm copies itself to the Windows system
directory with the name WINL0G0N.EXE, and registers this file in
the system registry auto-run keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WINL0G0N.EXE = \WINL0G0N.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINL0G0N.EXE = \WINL0G0N.EXE
To send infected messages, the worm uses a direct connection to
SMTP server. The worm obtains SMTP's address from the system
registry or uses the following pre-defined address:
210.177.111.18
Victim e-mail addresses are obtained from the files on local
disks. The worm scans the files with those extensions: .eml,
.wab, .dbx, *.mbx, *.xls, *.xlt, *.mdb
The infected message body is in HTML format, and exploits an
I-FRAME breach to automatically activate an infected attachment
on a vulnerable computer.
The infected message looks like that:
Subject: Welcome to Yahoo! Mail
Body: Welcome to Yahoo! Mail
Attachment: readme.txt <lots of spaces> .pif
The worm stores e-mail list of its victims in the file called
'emailinfo.txt'. The worm keeps its encoded body in 'email.txt'
file and uses this file as an attachment when spreading.
The worm attempts to steal certain files from an infected
computer. The worm looks for files in the subdirectories on all
local hard disks. The following files are searched:
"tree.dat","smdata.dat","hosts.dat","sm.dat"
When the worm locates any of these files, it sends them to the
ftp server "ftphd.pchome.com.tw" for the users 'shit0918',
'shit530', 'shiu58', 'shoho2', 'shoo2206'.
The worm has a destructive payload. It deletes all files in
current directory. It can delete files in the Windows root
directory after rebooting.
To disinfect a system the following steps are required:
1. The special patch from Microsoft to fix I-Frame vulnerability
should be downloaded and installed:
http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp
2. The worm's file should be renamed or deleted. Scan your system
with F-Secure Anti-Virus and the latest updates. When the worm's
file WINL0G0N.EXE is located, select 'Rename' disinfection
action. If file can't be renamed, you have to exit to pure DOS
(for Win9x systems only) and rename it manually.
IMPORTANT: If an infection is detected in an e-mail database, DO
NOT rename or delete it or you will loose all your e-mails.
3. Restart Windows only when the worm's file is deleted or
renamed.
4. Delete all infected messages from your e-mail client database.
F-Secure Anti-Virus detects this worm with updates published on
26th of December, 2001.
[Kaspersky Labs and F-Secure Corp.; December 27th, 2001]
|
