Summary
A type of worm that spreads on vulnerable Instant Messaging (IM) networks.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Variants in the IM-Worm:W32/Sohanad family are worms that spread via instant messaging software, primarily Yahoo Messenger.
Sohanad variants were first encountered in late 2006 targeting Vietnamese users of Yahoo Messenger. Not all later variants have their roots in Vietnam, but Sohanad variants are still largely written by and target Vietnamese Internet users.
Sohanad variants are written with AutoIt scripting language.
Propagation
Sohanad worms use Instant Messenger programs such as Yahoo! Messenger to propagate. When a Sohanad worm on an infected computer detects that Yahoo Messenger is running, it sends a message to the people on the victim's contacts list.
The message includes a URL that direct to a location containing a copy of the worm. Once the recipient of the message clicks on the link, he ends up downloading the worm.
The messages themselves use varying types and levels of social engineering to appear interesting to potential victims. The following are some of the English messages used by Sohanad variants:
- oh my god , i've won a 20000 usd lottery :O http://lottery-news.info/?id=winning_list . Come to my house tonight for a party !! >:D<
- Images shot in Iraq _ The war will never end http://thecoolpics.com/Iraqwar.jpg << :(
- :D who is beside you in this pic http://thecoolpics.com/friendpic1.jpg so good-looking
- Screenshot of new windows version _ Windows Vista http://thecoolpics.com/vista.jpg so cool :D
The file names are not actually part of the URL, but are just included in the messages to make them appear more legitimate.
Some variants also use other Instant Messengers to spread themselves such as AIM, Windows Live Messenger, or Windows Messenger.
Installation
Once downloaded onto the computer, the worm copies itself somewhere on the system under a name that is meant to be inconspicuous. Examples:
- %windir%\system32\Microsoft\svhost32.exe
- %windir%\system32\Microsoft\rvhost.exe
Note: %windir% represents the system's Windows folder.
Sohanad variants also create a registry entry that executes the worm at startup. Typically Sohanads also modify the registry to disable task manager and registry tools. Examples:
- # HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system DisableTaskMgr = 00000001
- # HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system DisableRegistryTools = 00000001
Activity
Members of the Sohanad family often try to end other processes, usually antivirus or other security software.
Other possible targets include Windows Task Manager and Registry Editor.
Some Sohanad worms are also able to change the Internet Explorer home page, download other malware, or spread as an AutoRun worm.
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.