Quote:
Originally Posted by wesleyc
it's clean?
|
nformation about the
Sohanad Worm(detected in Analysis of the file GreYFoX_NoDC_1.141_Beta_2_Memory_):
Sohanad is a worm. The worm will infect Windows systems and spreads through Yahoo! Messenger, a popular instant messaging application.
The worm arrives as a downloaded file via Yahoo! Messenger.
Upon execution, this worm copies itself as SVHOST32.EXE and SVHOST.EXE in the Windows folder.
The worm modifies registry at the following location to load itself during each startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
It also creates the following registry keys to modify the settings of Yahoo! Messenger.
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_ buzz
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_ Launchcast
The worm also modifies the registry to disable Registry Editor and Task Manager.
It also changes the Internet Explorer (IE) home page to;
This worm propagates via Yahoo! Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is downloaded and executed on the recipients' system.
The details of the message sent out by this worm are;
Do you realize who is in this image: http://{BLOCKED}coolpics.net/who.jpg . Just think for a moment and tell me soon
)
who is beside you in this pic
so good-looking
the page cannot be displayed http://{BLOCKED}coolpics.net/error.jpg Something was wrong !!! Check it again and tell me later. THanks
Images shot in Iraq _ The war will never end http://{BLOCKED}coolpics.net/Iraqwar.jpg <<
Miss World 2006: http://{BLOCKED}coolpics.net/MissWorld.jpg !! <<
oh my god , i've won a 20000 usd lottery :O http://{BLOCKED}coolpics.net/mylottery.jpg <<
It also attempts to connect to the following website to download and execute some malicious files.
http://{BLOCKED}vey-sales.com/ipn/transactions/en.exe
http://{BLOCKED}vey-sales.com/ipn/transactions/link-en.exe
The worm tries to terminate some of the security related processes.
This worm first appeared on November 12, 2006.
Blueball Other names of Sohanad Worm:
This Worm is also known as WORM_SOHANAD.AE.