W32/Sohanad.I Worm

 Information about the W32/Sohanad.I Worm:

W32/Sohanad.I is a worm. The worm will infect Windows systems and spreads through Instant Messaging applications.

The worm arrives as a downloaded file via the popular instant messaging applications.

Upon execution, this worm copies itself as SVHOST32.EXE or SVHOST.EXE in the Windows System folder.

The worm modifies registry at the following location to load itself during each startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also creates the following registry keys to modify the settings of Yahoo! Messenger:

HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast

The worm also modifies the registry to disable Registry Editor and Task Manager.

It also changes the Internet Explorer (IE) home page to;

http://(BLOCKED)ecoolpics.com.

This worm propagates via Yahoo! Messenger, AOL Instant Messenger (AIM), Windows Live Messenger or Windows Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is downloaded and executed on the recipients' system.

The details of the message sent out by this worm are:

http://(Blocked)thecoolpics.com/hot.jpg :x
"hot pics this week " http://(Blocked)thecoolpics.com/hot.jpg :x"
";) 1 of my vacation pictures " http://(Blocked)thecoolpics.com/vacation2.jpg <:-P "
"Screenshot of new windows version _ Windows Vista " http://(Blocked)thecoolpics.com/vista.jpg so cool :D"
"Images shot in Iraq _ The war will never end " http://(Blocked)thecoolpics.com/Iraqwar.jpg << :("
"oh my god , i've won a 20000 usd lottery :O " http://(Blocked)thecoolpics.com/mylottery.jpg << "
"never click into the links like something in this image " http://(Blocked)thecoolpics.com/dontclick.jpg #:-S !!! "
":( the page cannot be displayed " http://(Blocked)thecoolpics.com/error.jpg Something was wrong !!! Check it again and tell me later. THanks"
"My pics " http://(Blocked)thecoolpics.com/mypics.jpgb-( << "
"Miss World 2006: " http://(Blocked)thecoolpics.com/MissWorld.jpg !!"
"Do you realize who is in this image: " http://(Blocked)thecoolpics.com/who.jpg . Just think for a moment and tell me soon ;))"

The worm takes advantage of a vulnerability in Microsoft Data Access Components (MDAC) Function as explained in Microsoft Security Bulletin MS06-014.

Upon successfully exploitation of the the said vulnerability, it allows the worm to connect to the website http:// www.(Blocked)ecoolpics.com/INDEX.HTML to download and execute an embedded script.

It also attempts to connect to the following website to download and execute some malicious files named en.exe and link-en.exe which are copies of itself.

http://(Blocked)rknaturephoto.com/Gallery/albums/Wood-ducks/photos

The worm also terminates some of the security related processes.

This worm first appeared on October 24, 2006.

 Other names of W32/Sohanad.I Worm:

This Worm is also known as WORM_SOHANAD.I .