Worm:Win32/Sohonad.S is a worm that spreads via mapped network drives.
Installation
When executed, Worm:Win32/Sohonad.S creates multiple copies of itself in the following hardcoded locations:
- c:\windows\compmgmt.exe as hidden
- c:\windows\system32\debug_32.exe as hidden
- c:\windows\system32\MsMpEng.exe as hidden
It executes the various copies using the following registry modifications:
Adds value: Shell
With data: "c:\windows\compmgmt.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: Sheli
With data: "c:\windows\tasks\dmadmin_1.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: compmgmt.exe
With data: "c:\windows\system32\debug_32.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
Adds value: Sheli
With data: "c:\windows\tasks\dmadmin_1.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: Sheli
With data: "c:\windows\tasks\dmadmin_1.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
Adds value: Userinit
With data: "C:\WINDOWS\\system32\userinit.exe,c:\windows\tasks\dmadmin_1.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: AlternateShell
With data: "c:\windows\system32\MsMpEng.exe"
To subkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
Adds value: AlternateShell
With data: "c:\windows\system32\MsMpEng.exe"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Then, using Windows Task Scheduler, it schedules debug_32.exe to be run in the next minute: it creates multiple jobs to perform this action, named At1, At2, At3, At4 and At5.
The worm also creates copies of itself in the My Documents directory using existing directory names as filenames. For example:
- My Pictures.exe
- My Music.exe
Spreads Via…
Network Drives
The worm enumerates drives on the affected machine and copies itself to the root of all targeted drives as New_Folder.exe. Upon copying itself to a drive, the worm creates a file named 'autorun.inf' in the root of the drive.
The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Payload
Kills Processes/Stops Services
The worm kills the following processes on an affected machine.
ravmon.exe
ravmone.exe
sxs.exe
cmd.exe
regedit.exe
avgcc.exe
updat32.exe
rstrui.exe
install.exe
setup.exe
YahooMessenger.exe
mIRC.exe
UIWatcher.exe
UnInstaller.exe
It further kills processes with the following strings in their Window titles:
Anti
Anti-Virus
aspersky
Avast
AVG
Back
BitDefender
Chat
Check
Clean
Command
Control
earch
ecurity
egistry
emove
ERD
ERU
ervice
essenger
estore
Guard
ijack
Luke
McAfee
NOD32
Norton
ntivir
ntivirus
Options
Panda
Patrol
pdat
Program Files
rocess
rotect
Run
Scan
Scans
Spy
tartup
Task
Test
Trojan
tweak
utorun
virus
ymantec
ystem32
It also hides windows that contain the following strings:
- Setup
- Install
- Customize
- Kaspersky
The worm may stop or suspend the following services:
- sp_rsser.exe
- avgupsvc.exe
- avp.exe
Modifies System Settings
The worm makes the following registry changes in order to hinder its removal and increase its chances of spreading successfully:
Adds value: (Default)
With data: txtfile
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.reg
Adds value: NoFolderOptions
With data: 1
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Adds value: DisableRegistryTools
With data: 1
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Adds value: Disabled
With data: 1
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Adds value: DisableTaskMgr
With data: 1
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Adds value: NoDriveTypeAutoRun
With data: 1
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Adds value: NoRun
With data: 1
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Adds value: NoFind
With data: 1
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Adds value: NoFileMenu
With data: 1
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Adds value: appwiz.cpl
With data: "no"
To subkey: HKEY_CURRENT_USER\Control Panel\don't load
Adds value: Services.cpl
With data: "no"
To subkey: HKEY_CURRENT_USER\Control Panel\don't load
Adds value: Startup.cpl
With data: "no"
To subkey: HKEY_CURRENT_USER\Control Panel\don't load
Adds value: HideFileExt
With data: 1
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: Hidden
With data: 2
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
