Classification

Category: Malware

Type: -

Aliases: Shoho, Welyah, I-Worm.Welyah, W32/Shoho@mm

Summary


Shoho is an email worm that spreads by sending itself from an infected system as an email attachment. The worm also can send out other files (steal information) and pefrorm destructive actions. The worm was discovered in-the-wild in the end of December 2001.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The worm itself is a Windows PE EXE file about 108K in length, written in Visual Basic 6. The worm's code is not compressed or encrypted.

When an infected file is run (when a user clicks on an attached file, or if the worm gets control through an I-FRAME security breach), the worm's code takes control. First of all, the worm installs its components to a system and registers them in the system registry.

While installing, the worm copies itself to the Windows system directory with the name WINL0G0N.EXE, and registers this file in the system registry auto-run keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run WINL0G0N.EXE = \WINL0G0N.EXE HKLM\Software\Microsoft\Windows\CurrentVersion\Run WINL0G0N.EXE = \WINL0G0N.EXE

To send infected messages, the worm uses a direct connection to SMTP server. The worm obtains SMTP's address from the system registry or uses the following pre-defined address:

210.177.111.18

Victim email addresses are obtained from the files on local disks. The worm scans the files with those extensions:

.eml, .wab, .dbx, *.mbx, *.xls, *.xlt, *.mdb

The infected message body is in HTML format, and exploits an I-FRAME breach to automatically activate an infected attachment on a vulnerable computer.

The infected message looks like that:

Subject: Welcome to Yahoo! Mail
Body: Welcome to Yahoo! Mail
Attachment: readme.txt [lots of spaces] .pif

The worm stores email list of its victims in the file called 'emailinfo.txt'. The worm keeps its encoded body in 'email.txt' file and uses this file as an attachment when spreading.

The worm attempts to steal certain files from an infected computer. The worm looks for files in the subdirectories on all local hard disks. The following files are searched:

"tree.dat","smdata.dat","hosts.dat","sm.dat"

When the worm locates any of these files, it sends them to the ftp server "ftphd.pchome.com.tw" for the users 'shit0918', 'shit530', 'shiu58', 'shoho2', 'shoo2206'.

The worm has a destructive payload. It deletes all files in current directory. It can delete files in the Windows root directory after rebooting.

To disinfect a system the following steps are required:

1. The special patch from Microsoft to fix I-Frame vulnerability should be downloaded and installed:

https://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

2. The worm's file should be renamed or deleted. Scan your system with F-Secure Anti-Virus and the latest updates. When the worm's file WINL0G0N.EXE is located, select 'Rename' disinfection action. If file can't be renamed, you have to exit to pure DOS (for Win9x systems only) and rename it manually.

IMPORTANT: If an infection is detected in an email database, DO NOT rename or delete it or you will loose all your emails.

3. Restart Windows only when the worm's file is deleted or renamed.

4. Delete all infected messages from your email client database.

F-Secure Anti-Virus detects this worm with updates published on 26th of December, 2001.