--------------------------------------------------------------------------------
Type
Virus
SubType
Worm
Discovery Date
05/15/2007
Length
varies
Minimum DAT
5031 (05/15/2007)
Updated DAT
5031 (05/15/2007)
Minimum Engine
5.1.00
Description Added
05/15/2007
Description Modified
05/16/2007
Overview -
W32/Hakaglan.worm is a worm written in AutoIT that spreads via Yahoo Messenger, removable drives and network shares
Aliases
IM-Worm.Win32.Sohanad.t (Kaspersky)
W32.Yautoit (Symantec)
W32/Sohana-R (Sophos)
Win32/YahLover.AO (CA)
Worm/Sohanad.NAK (Antivir)
Characteristics -
W32/Hakaglan.worm is a worm written in AutoIT that spreads via Yahoo Messenger, removable drives and network shares
Upon execution the worm drops the following files:
%WINDIR%\SSVICHOSST.exe -> Worm Component
%SYSDIR%\SKCVHOSThk.dll -> Keylogger Component
%SYSDIR%\SKCVHOST.exe -> Keylogger Component
%SYSDIR%\SKCVHOSTr.exe -> Keylogger Component
Creates the following registry keys to hook at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
“Shell” =” Explorer.exe SSVICHOSST.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\
“Yahoo Messengger” = “%SYSDIR%\ SSVICHOSST.exe”
The worm creates a job file (At1.job) which schedules to execute itself everyday at 09:00 hrs.
Modifes the following registry keys to hide folder options and disable the taskmanager, registry editing etc.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\
"NofolderOptions"= “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System\
"DisableTaskMgr"=”1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System\
"DisableRegistryTools"=”1”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Schedule\
"AtTaskMaxHours" =”0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\WorkgroupCrawler\Shares\
"shared"="\\[SHARES]\New Folder.exe"
Symptoms -
Ends the following processes and closes applications if the window title has:
[FireLion]
Bkav2006
System Configuration
Registry
Windows Task
cmd.exe
Attempts to delete following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run="BkavFw"
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run=”IEProtection"
Downloader Component:
The worm connects to the following domains to download updated variants of itself and additional malware.
[Only Registered and Activated Users Can See Links. Click Here To Register...][BLOCKED].t35.com/
[Only Registered and Activated Users Can See Links. Click Here To Register...][BLOCKED].t35.com/
[Only Registered and Activated Users Can See Links. Click Here To Register...][BLOCKED].t35.com/
[Only Registered and Activated Users Can See Links. Click Here To Register...][BLOCKED].t35.com/
At the time of writing this description, variants of KeyLog-Perfect.dll, Keylog-Perfect and Generic ProcKill.c were observed to be downloaded.
Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
Method of Infection -
The worm spreads through passing any of the above links pointing to a hosted copy of the worm to all users listed in infected person’s yahoo buddy list.
Victims typically get infected when they download and execute the spammed copy of the worm.
It also spreads via network shares and removable drives.
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Linear Mode
