Category :


Type :


Aliases :

Shoho, Welyah, I-Worm.Welyah, W32/Shoho@mm


Shoho is an email worm that spreads by sending itself from an infected system as an email attachment. The worm also can send out other files (steal information) and pefrorm destructive actions. The worm was discovered in-the-wild in the end of December 2001.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm itself is a Windows PE EXE file about 108K in length, written in Visual Basic 6. The worm's code is not compressed or encrypted.

When an infected file is run (when a user clicks on an attached file, or if the worm gets control through an I-FRAME security breach), the worm's code takes control. First of all, the worm installs its components to a system and registers them in the system registry.

While installing, the worm copies itself to the Windows system directory with the name WINL0G0N.EXE, and registers this file in the system registry auto-run keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run WINL0G0N.EXE = \WINL0G0N.EXE HKLM\Software\Microsoft\Windows\CurrentVersion\Run WINL0G0N.EXE = \WINL0G0N.EXE

To send infected messages, the worm uses a direct connection to SMTP server. The worm obtains SMTP's address from the system registry or uses the following pre-defined address:

Victim email addresses are obtained from the files on local disks. The worm scans the files with those extensions:

.eml, .wab, .dbx, *.mbx, *.xls, *.xlt, *.mdb

The infected message body is in HTML format, and exploits an I-FRAME breach to automatically activate an infected attachment on a vulnerable computer.

The infected message looks like that:

Subject: Welcome to Yahoo! Mail
Body: Welcome to Yahoo! Mail
Attachment: readme.txt [lots of spaces] .pif

The worm stores email list of its victims in the file called 'emailinfo.txt'. The worm keeps its encoded body in 'email.txt' file and uses this file as an attachment when spreading.

The worm attempts to steal certain files from an infected computer. The worm looks for files in the subdirectories on all local hard disks. The following files are searched:


When the worm locates any of these files, it sends them to the ftp server "" for the users 'shit0918', 'shit530', 'shiu58', 'shoho2', 'shoo2206'.

The worm has a destructive payload. It deletes all files in current directory. It can delete files in the Windows root directory after rebooting.

To disinfect a system the following steps are required:

1. The special patch from Microsoft to fix I-Frame vulnerability should be downloaded and installed:

2. The worm's file should be renamed or deleted. Scan your system with F-Secure Anti-Virus and the latest updates. When the worm's file WINL0G0N.EXE is located, select 'Rename' disinfection action. If file can't be renamed, you have to exit to pure DOS (for Win9x systems only) and rename it manually.

IMPORTANT: If an infection is detected in an email database, DO NOT rename or delete it or you will loose all your emails.

3. Restart Windows only when the worm's file is deleted or renamed.

4. Delete all infected messages from your email client database.

F-Secure Anti-Virus detects this worm with updates published on 26th of December, 2001.