W32/Sohana-W

Please follow the instructions for removing worms.

Please configure the scan to scan all files, in order to detect and disinfect the dropped INF file(s).

W32/Sohana-W is a worm for the Windows platform.

W32/Sohana-W spreads to other network computers and by copying itself to removable storage devices.

W32/Sohana-W includes functionality to access the internet and communicate with a remote server via HTTP. The worm also includes functionality to download, install and run new software.

When first run W32/Sohana-W copies itself to:

<Windows>\SSCVIHOST.exe
<System>\SSCVIHOST.exe
<System>\blastclnnn.exe

and creates the following files:

<System>\autorun.ini - Also detected as W32/Sohana-W
<System>\setting.ini - dat file, may simply be deleted
<Windows>\Tasks\At1.job - dat file, may simply be deleted

W32/Sohana-W may also attempt to download and execute the following files:

example.eex - detected as Troj/Havar-A
nhatquanglan15.exe - detected as Perfect Keylogger
test.exe - detected as Troj/VB-DUW

The following registry entry is created to run SSCVIHOST.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
<System>\SSCVIHOST.exe

The following registry entry is changed to run SSCVIHOST.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe SSCVIHOST.exe

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

The following registry entries are set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
shared
\New Folder.exe