high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | May 2007 (4.17) |
| Protection available since | 23 March 2007 19:53:09 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sohana-P is a network worm for the Windows platform.
W32/Sohana-P spreads through instant messaging applications and network shares.
W32/Sohana-P includes functionality to download, install and run new software.
When W32/Sohana-P is installed the following files are created:
<System>\svchost.exe
<System>\svchost32.exe
The following registry entries are created to run W32/Sohana-P on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Task Manager
<System>\svchost.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Yahoo Messenger
<System>\svchost32.exe
W32/Sohana-P changes settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Homepage
1
Registry entries are created under:
HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast
HKCU\Software\Yahoo\pager\View\YMSGR_buzz
|
