DR/Sohanad.BM.157 - Dropper

See also

Summary

Full description

Statistics

Virus:	DR/Sohanad.BM.157
Date discovered:	30/09/2009
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low to medium
Distribution Potential:	Low to medium
Damage Potential:	Low to medium
Static file:	Yes
File size:	529.920 Bytes
MD5 checksum:	ec80ba08fe2710d8ab5ad280f1b37137
IVDF version:	7.01.06.59 - Wed, 30 Sep 2009 16:27 (GMT+1)

General Aliases:
   • Mcafee: W32/YahLover.worm
   • Sophos: W32/SillyFDC-G
   • Panda: W32/Hakaglan.A.worm
   • Eset: Win32/Hakaglan.AH
   • Bitdefender: Trojan.AutoIt.TD

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Lowers security settings
   • Registry modification

Files It copies itself to the following locations:
   • %WINDIR%\RVHOST.exe
   • %SYSDIR%\RVHOST.exe

The following file is created:

– %WINDIR%\Tasks\At1.job

It tries to download some files:

– The location is the following:
   • http://nhatquanglan2.0catch.com/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://www.freewebs.com/nhattruongquang/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://nhatquanglan2.0catch.com/**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://www.freewebs.com/nhattruongquang/**********
At the time of writing this file was not online for further investigation.

Registry One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Yahoo Messengger"="%SYSDIR%\RVHOST.exe"

The following registry key is added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   • "DisableRegistryTools"=dword:0x00000001
   • "DisableTaskMgr"=dword:0x00000001

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Shell"="Explorer.exe RVHOST.exe"

– [HKLM\SYSTEM\CurrentControlSet\Services\Schedule]
   New value:
   • "AtTaskMaxHours"=dword:0x00000000
   • "NextAtJobId"=dword:0x00000003

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NofolderOptions"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "GlobalUserOffline"=dword:0x00000000

Process termination The following process is terminated:
• taskmgr.exe

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Petre Galan on Fri, 05 Feb 2010 12:30 (GMT+1)
Description updated by Petre Galan on Fri, 05 Feb 2010 12:34 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back