[Malware Review] Win32.Worm.Sohanad.NAW – the malicious friend you talk to on Yahoo Messenger

Year 2009 was surely the year of the Downadup worm. Although the worm has slowly started to decay, its legacy continues for the new year in the presence of smaller, yet extremely annoying e-threats able to spread themselves through a variety of media.

Initially discovered on November 2007, Win32.Worm.Sohanad.NAW is a self-spreading e-threat able to download files from remote locations and stealthily execute them on the infected machine. The worm is extremely aggressive in terms of self-replication, as it features no less than three distinct methods of infecting new systems: by sharing itself on the local network, by infecting any removable storage device plugged into the infected computer and by sending enticing messages to all the Yahoo Messenger contacts of the infected YIM user.

One of the first signs that the system has been infected is computer slowdown and intense Internet activity, as worms consume most of the bandwidth in order to replicate themselves over the
network. Win32.Worm.Sohanad.NAW tampers with the Windows Registry in order to prevent the user from accessing the Task Manager, Regedit and Folder Options, and also adds a new registry entry in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon in order to register itself at every Windows restart.
In order to infect as many computers as possible, the worm drops copies of itself on all removable or mapped drives, along with an autorun.inf file that automatically executes these copies when these drives are accessed.

Other variants of Win32.Worm.Sohanad.NAW are able to create scheduled tasks using the Microsoft Job Scheduler to execute itself every day at 9:00 AM starting on the day it is first executed.

In order to stay safe and fully enjoy your Internet experience, BitDefender recommends that you install and regularly update an anti-malware suite with anti-virus, anti-spam, anti-phishing
and firewall modules.

Information in this article is available courtesy of BitDefender virus researcher George Cabau.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.