Description:
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
TrendLabs has received reports about this worm propagating in the wild.
This memory-resident worm arrives on an affected system as a file downloaded from the Internet by unsuspecting users while visiting malicious Web sites. It may also arrive via the popular instant messaging application, Yahoo! Messenger.
When executed, modifies the system registry to disable Registry Editor and Task Manager. It also modifies the Internet Explorer home page and prevents the affected user from manually reverting to the preferred home page.
This worm propagates via Yahoo! Messenger. It does this by sending an instant message to all the contacts of an active user. The said message contains a link to a remote copy of itself. When the recipient clicks the link, the copy is executed on the recipients' system.
Below is a screenshot of the instant message:
It is also capable of downloading and executing files from a certain URL. It also accesses and executes an embedded script from an HTML page. Trend Micro detects the said HTML script as HTML_SOHANAD.A.
This worm terminates several processes, most of which are components of other malware, while some are security-related programs.
For additional information about this threat, see:
Solution
Technical Details
Description created: Oct. 3, 2006 12:14:42 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
