high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | September 2007 (4.21) |
| Protection available since | 16 July 2007 22:57:07 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sohana-Y is a worm for the Windows platform.
W32/Sohana-Y spreads through instant messaging applications, removable media and network shares.
W32/Sohana-Y includes functionality to access the internet and communicate with a remote server via HTTP.
W32/Sohana-Y spreads through instant messaging applications, removable media and network shares.
W32/Sohana-Y includes functionality to access the internet and communicate with a remote server via HTTP.
When first run W32/Sohana-Y copies itself to:
<Windows>\SSCVIIHOST.exe
<System>\SSCVIIHOST.exe
<System>\blastclnnn.exe
and creates the following files:
<System>\autorun.ini
<System>\setting.ini
The file autorun.ini is detected as Mal/AutoInf-A.
The following registry entry is created to run W32/Sohana-Y on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
<System>\SSCVIIHOST.exe
The following registry entry is changed to run W32/Sohana-Y on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe SSCVIIHOST.exe
The following registry entries are set, disabling system software:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
1
|
