Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hello and heres a problem: win32 sohanad.nak worm


  • Please log in to reply
2 replies to this topic

#1 pre101

pre101

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:15 PM

Posted 19 May 2009 - 09:51 AM

After researhing the web for 4 hours - I found this info:

Type
Virus:sohanad
SubType:Worm
Discovery Date:05/15/2007
Length:varies
Minimum DAT:5031 (05/15/2007)
Updated DAT:5031 (05/15/2007)
Minimum Engine:5.1.00
Description Added:05/15/2007
Description Modified:05/16/2007


Overview -:
W32/Hakaglan.worm is a worm written in AutoIT that spreads via Yahoo Messenger, removable drives and network shares

Aliases:
IM-Worm.Win32.Sohanad.t (Kaspersky)
W32.Yautoit (Symantec)
W32/Sohana-R (Sophos)
Win32/YahLover.AO (CA)

Worm/Sohanad.NAK (Antivir)

Characteristics -:
W32/Hakaglan.worm is a worm written in AutoIT that spreads via Yahoo Messenger, removable drives and network shares


Upon execution the worm drops the following files:
%WINDIR%\SSVICHOSST.exe -> Worm Component
%SYSDIR%\SKCVHOSThk.dll -> Keylogger Component
%SYSDIR%\SKCVHOST.exe -> Keylogger Component
%SYSDIR%\SKCVHOSTr.exe -> Keylogger Component

Creates the following registry keys to hook at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
“Shell” =” Explorer.exe SSVICHOSST.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
“Yahoo Messengger” = “%SYSDIR%\ SSVICHOSST.exe”

The worm creates a job file (At1.job) which schedules to execute itself everyday at 09:00 hrs.

Modifes the following registry keys to hide folder options and disable the taskmanager, registry editing etc.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NofolderOptions"= “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr"=”1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableRegistryTools"=”1”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\
"AtTaskMaxHours" =”0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\
"shared"="\\[SHARES]\New Folder.exe"

Symptoms -:
Ends the following processes and closes applications if the window title has:
[FireLion]
Bkav2006
System Configuration
Registry
Windows Task
cmd.exe

Attempts to delete following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run="BkavFw"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run=”IEProtection"

Downloader Component:
The worm connects to the following domains to download updated variants of itself and additional malware.

http://nhatquan[BLOCKED].t35.com/
http://nhatquan[BLOCKED].t35.com/
http://nhatquan[BLOCKED].t35.com/
http://nhatquan[BLOCKED].t35.com/



At the time of writing this description, variants of KeyLog-Perfect.dll, Keylog-Perfect and Generic ProcKill.c were observed to be downloaded.

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
Method of Infection -

The worm spreads through passing any of the above links pointing to a hosted copy of the worm to all users listed in infected person’s yahoo buddy list.

Victims typically get infected when they download and execute the spammed copy of the worm.

It also spreads via network shares and removable drives.
Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
*Since We have a lot of Visitis related to remove Hakaglan, We will provide you all posible solutions to clean this Malware.

- W32/Hakaglan.worm is a worm written in AutoIT that spreads via Yahoo Messenger, removable drives and network shares
- Aliases: IM-Worm.Win32.Sohanad.t (Kaspersky) W32.Yautoit (Symantec) W32/Sohana-R (Sophos) Win32/YahLover.AO (CA) Worm/Sohanad.NAK (Avira)

- Removal method:
1. Check your AntiVirus (which one is, is it updated and did you make full scan of your PC (after update).

2. If you can't clean worm with this way, reinstal your AV and download & instal one off this AV: McAfee or Kaspersky (here at SCForum.info we provide you link to latest downloads, just check right section) and go again at step 1.

3. Don't forget to turn off System Restore at your PC.

4. Also here is a solution for "handy" cleaning this Malware:


Enabling The Registry Editor and Task Manager

This malware disables the Registry Editor. To restore the said system tool, perform the following instructions:

Open Notepad. Click Start>Run, type Notepad, then press Enter.
Copy and paste the following:
On Error Resume Next
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
shl.RegDelete

Save this file as C:\RESTORE.VBS.
Click Start>Run, type C:\RESTORE.VBS, then press Enter.
Click Yes at the prompt of the message box.
Terminating the Malware Program

This procedure terminates the running malware process.

Open Windows Task Manager.
• On Windows 98 and ME, press
CTRL+ALT+DELETE
• On Windows NT, 2000, XP, and Server 2003, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the process:
RVHOST.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.

--------------------------------------------------------------------------------
*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.
On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry:

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003
Removing Autostart Entry from the Registry

Removing the autostart entry from the registry prevents the malware from executing at startup.

If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

Open Registry Editor.
Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Yahoo Messengger = "%System%\RVHOST.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)-->
Removing Other Entry from the Registry

Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Policies>Explorer
In the right panel, locate and delete the entry:
NofolderOptions = "1"
Restoring Modified Entries from the Registry

Still in Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Winlogon
In the right panel, locate the entry:
Shell = "Explorer.exe RVHOST.exe"
Right-click on the value name and choose Modify. Change the value data of this entry to:
Explorer.exe
In the right panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Schedule
In the right panel, locate the entry:
NextAtJobId = "2"
Right-click on the value name and choose Modify. Change the value data of this entry to:"1"
Close Registry Editor.

Deleting the Malware File(s):

Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
In the Named input box, type:
AT1.JOB
In the Look In drop-down list, select My Computer, then press Enter.
Once located, select the file then press SHIFT+DELETE.

Important Windows ME/XP Cleaning Instructions:

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.



---------


Characteristic of the virus should be noted:



It copies itself to the following locations:
• %SYSDIR%\SSVICHOSST.exe
• %WINDIR%\SSVICHOSST.exe

– %SYSDIR%\autorun.ini Further investigation pointed out that this file is malware, too. Detected as: INF/AutoRun.J



It tries to download some files:

– The location is the following:
http://nhatquanglan3.t35.com/**********.nql
It is saved on the local hard drive under: %temporary internet files%\Content.IE5\%random character string%\setting[1].nql At the time of writing this file was not online for further investigation.

– The location is the following:
http://nhatquanglan4.t35.com/**********.nql
It is saved on the local hard drive under: %temporary internet files%\Content.IE5\%random character string%\setting[1].nql


--------

The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "Yahoo Messengger"="%SYSDIR%\SSVICHOSST.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• "Shell"="Explorer.exe SSVICHOSST.exe"



The following registry keys are added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
WorkgroupCrawler\Shares]
• "shared"="\New Folder.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
• "NofolderOptions"=dword:00000001



The following registry keys are changed:

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
New value:
• "DisableTaskMgr"=dword:00000001
• "DisableRegistryTools"=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Services\Schedule]
New value:
• "AtTaskMaxHours"=dword:00000000


-------------

If anyone can VERIFY that this actually work - please do reply.

BC AdBot (Login to Remove)

 


#2 cosmic_sniper05

cosmic_sniper05

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philippines
  • Local time:08:15 PM

Posted 19 May 2009 - 10:15 AM

Correct me if I'm wrong but am I right to say that you're suggesting a removal method? I haven't read the entire post because I'm not actually into such logs or whatever it is.

I also understand that it is your first post and I want to inform you that it is misplaced. Threads under Introduction are the usual "hi", Hello", and "welcome to the site" things.

If you want your thread to get the attention it needs, better post it in the right forum.

I would like to help you to do so.

Could you please explain to mw what your thread is all about (without the logs :flowers: )so I can direct you to the proper forum.


Oh...
I almost forgot!
:thumbsup:
Let's have a mental fusion!
Let us do our part to make this world a truly symbiotic place.

For other computer problems, this blog might be helpful:
http://cosmicsniper.blogspot.com

#3 Stofzuiger

Stofzuiger

  • Members
  • 332 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The inside
  • Local time:01:15 PM

Posted 19 May 2009 - 11:16 AM

Well cosmic sniper says it all. Please start an new topic in the "Am I infected, what do I do" section of this forum.

And ofcourse: :thumbsup: to BC :flowers:

Every one goes fun fun fun


Who is this doin' this synthetic type of alpha beta psychedelic bleepin'? ~Chemical Brothers - Elektrobank





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users