Malware type: Worm

Aliases: IM-Worm.Win32.Sohanad.u (Kaspersky), W32/YahLover.worm (McAfee), W32.Imaut (Symantec), Worm/Sohanat.AX (Avira), W32/Sohana-K (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This worm propagates via Yahoo! Messenger, AIM, Windows Live Messenger or Windows Messenger. It does the said routine by sending an instant message to all the contacts of an active user. The said message contains a link to a remote copy of itself. When the recipient clicks the link, the copy is executed on the recipients' system.

It modifies the registry to change certain settings of Yahoo! Messenger, and change Internet Explorer home page and search page. It also modifies certain registry entries to disable Registry Editor and Windows Task Manager. It does the said routine to avoid easy detection and consequent removal.

It also downloads a file, which is detected by Trend Micro as WORM_VB.CCB, from a specific URL. As a result, the routines of the related worm may be exhibited on the affected system.

For additional information about this threat, see:
Solution
Technical Details

Description created: Feb. 1, 2007 3:40:51 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.