Shoho is an e-mail worm that spreads by sending itself from an infected system as an e-mail attachment. The worm also can send out other files (steal information) and pefrorm destructive actions. The worm was discovered in-the-wild in the end of December 2001.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
The worm itself is a Windows PE EXE file about 108K in length, written in Visual Basic 6. The worm's code is not compressed or encrypted.
When an infected file is run (when a user clicks on an attached file, or if the worm gets control through an I-FRAME security breach), the worm's code takes control. First of all, the worm installs its components to a system and registers them in the system registry.
While installing, the worm copies itself to the Windows system directory with the name WINL0G0N.EXE, and registers this file in the system registry auto-run keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run WINL0G0N.EXE = \WINL0G0N.EXE HKLM\Software\Microsoft\Windows\CurrentVersion\Run WINL0G0N.EXE = \WINL0G0N.EXE
To send infected messages, the worm uses a direct connection to SMTP server. The worm obtains SMTP's address from the system registry or uses the following pre-defined address:
Victim e-mail addresses are obtained from the files on local disks. The worm scans the files with those extensions:
.eml, .wab, .dbx, *.mbx, *.xls, *.xlt, *.mdb
The infected message body is in HTML format, and exploits an I-FRAME breach to automatically activate an infected attachment on a vulnerable computer.
The infected message looks like that:
Subject: Welcome to Yahoo! Mail Body: Welcome to Yahoo! Mail Attachment: readme.txt <lots of spaces> .pif
The worm stores e-mail list of its victims in the file called 'emailinfo.txt'. The worm keeps its encoded body in 'email.txt' file and uses this file as an attachment when spreading.
The worm attempts to steal certain files from an infected computer. The worm looks for files in the subdirectories on all local hard disks. The following files are searched:
When the worm locates any of these files, it sends them to the ftp server "ftphd.pchome.com.tw" for the users 'shit0918', 'shit530', 'shiu58', 'shoho2', 'shoo2206'.
The worm has a destructive payload. It deletes all files in current directory. It can delete files in the Windows root directory after rebooting.
To disinfect a system the following steps are required:
1. The special patch from Microsoft to fix I-Frame vulnerability should be downloaded and installed:
2. The worm's file should be renamed or deleted. Scan your system with F-Secure Anti-Virus and the latest updates. When the worm's file WINL0G0N.EXE is located, select 'Rename' disinfection action. If file can't be renamed, you have to exit to pure DOS (for Win9x systems only) and rename it manually.
IMPORTANT: If an infection is detected in an e-mail database, DO NOT rename or delete it or you will loose all your e-mails.
3. Restart Windows only when the worm's file is deleted or renamed.
4. Delete all infected messages from your e-mail client database.
F-Secure Anti-Virus detects this worm with updates published on 26th of December, 2001.
[Kaspersky Labs and F-Secure Corp.; December 27th, 2001]