Remove sohanad.dz - Spyware Removal Information

More than 1309737 spyware signatures and growing

Spywarelib Search

Search in:

Spywares

Files

Md5

Registry

Worm-IM.sohanad.dz Analysis Report

Threat Submitted On: 3/9/2008 7:38:32 PM

Threat Analysed On: 3/10/2008 12:38:32 AM

Threat Updated On: 11/16/2009 1:04:59 PM

Type : Worm-IM

Symptoms of sohanad.dz

Spreads through Instant Messaging.
Sends itself to the Contact lists of the IM.
The users can sometimes be duped to accept the message due to the social engineering techniques adopted by the worm.

Removal Recommended (Click here to remove automatically)

Removal Recommended

Information

Alias : im-worm.win32.sohanad.dz

Md5 Hash : [a3c56e26eb6742c9bda73f26533c1d7c]

File Size : (17922 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System

Note:

Delete the following Files to remove Infection

File: 16f5e.dmp
Path : %temp%
Md5Hash :27059f9d1919f8ba24520314e5e7eff1 ( bytes)

File: 1e980.dmp
Path : %temp%
Md5Hash :90abcf02c980cf2cb2948b65c279ecc0 ( bytes)

File: 3c9b_appcompat.txt
Path : %temp%
Md5Hash :840c32d75655f596eb3bf03948590c27 ( 2582 bytes)

File: 402c_appcompat.txt
Path : %temp%
Md5Hash :50c1cda5174331deca256611c004f0ac ( 2582 bytes)

File: 6699_appcompat.txt
Path : %temp%
Md5Hash :db535bcb575b7b1d6903062da6a9a04f ( bytes)

File: d88e_appcompat.txt
Path : %temp%
Md5Hash :a11887bf744705b4bcb1eb4314584240 ( bytes)

File: services.exe
Path : %windir%\system32\1d060819

	Md5Hash :


		1322e6eb23dee697b4065ac8ec2da2ed ( 17920 bytes)


		18866d4fef31914d3de1e9eb16491a45 ( 17920 bytes)


		1e2d9a27478f650f354a65177e1d5bb9 ( 17920 bytes)


		22ee3faf1e42769c76f3c35a5e47b4d5 ( 17920 bytes)


		2d1c47d4e096180dc2541e7a15debdc9 ( 17920 bytes)


		326c706adb829cb6a35254de4c1e926c ( 17920 bytes)


		32ad3ea532bbf1b32ecb437ca8ba51b6 ( 17920 bytes)


		49321c701a693ecf8d3dc4f6abcd9387 ( 17920 bytes)


		853ac053e8eefcc6bdab561dd615e8f5 ( 17920 bytes)


		89bd7b7f7910745a5b65f14dd6cf12c6 ( 17920 bytes)


		934c1344c45dfd70f77831594e6f3e7a ( 17920 bytes)


		a42dc348e394a5066954162222c6f0e4 ( 17920 bytes)


		bd5c04142fcde5b120be3444d6d7e81c ( 17920 bytes)


		c2176b10260dda1f035fb5647f836864 ( 17920 bytes)


		c26b7c90b680adf629503f62ae2c6d1b ( 17920 bytes)


		ca80012b9ff44af4144e2353bef1de04 ( 17920 bytes)


		d1764eb826e972b7e0ddef2bfbe44080 ( 17920 bytes)


		d2b6ab8086f7fee2338f2fab872920a2 ( 17920 bytes)


		db13af7a4d57d9af4105ed0eb6d965df ( 17922 bytes)


		db1e8d5f77038ebba4c5beed2fc4ff2a ( 17920 bytes)


		e4ada5052e685ac07e13293f61befd4c ( 17920 bytes)


		fd8031a8547f007d9cfc01539b9d8487 ( 17920 bytes)

File: [randomname].exe
Path : %workingdir%

	Md5Hash :


		2be5891407f02c0ee43eaaaadb0f93cd ( 17920 bytes)


		2f29c3eaa32e4979883dc8566e216c82 ( 17920 bytes)


		2f40efda042440b104e3b89a2a9be9d6 ( bytes)


		372381ebac6aa1b45b8db793aa725a3d ( 17920 bytes)


		3c81b676836e6829f91d4672a53ad464 ( 17920 bytes)


		42c0aa3cc686db72bf3c5e6fe3b3d67a ( bytes)


		4dd9cf00078776fba0ca49233422dfc6 ( 17920 bytes)


		4e7ed1d13f9166837180189677f815a4 ( bytes)


		4fb1ac454434f6c73ce2fa87cd671526 ( 17920 bytes)


		4fe5084d884b504aeb28b42c53b67446 ( 17920 bytes)


		534c0b422ceec139721e1b404be4ce93 ( 17920 bytes)


		55c99f682d8c4504c356f982432ef8f0 ( 17920 bytes)


		56c0ff777ac7e36faa0b6e89ff19a9cd ( 17920 bytes)


		59a96e9dc967fcec6e2e5aa858a5c69d ( 17920 bytes)


		641b309e90979e12963e8f59228c60d3 ( bytes)


		6472fab8e415a5a4917380ea9b5db270 ( bytes)


		6efb8923ee6ad8318b6dd66ffbb08d13 ( 17920 bytes)


		71d55436afbd1615a8cac2d6aa840751 ( bytes)


		87743021a2aaae3b0fee443042969613 ( 17920 bytes)


		8a26558cf53ded861ba77d16a6b72d94 ( 17920 bytes)


		900583f7c8b08bacc59a62b7422408fa ( bytes)


		916c252926dc0e1a38434b09799de1a9 ( 17920 bytes)


		a35c4f8e1edf9c88d699ddf5536bb3f5 ( bytes)


		a3c56e26eb6742c9bda73f26533c1d7c ( 17922 bytes)


		a6442392edea2d61417f37fa912db491 ( 17920 bytes)


		b19bf3d5a938e2a02012c1d454ba7916 ( bytes)


		b1d84db14b47ecd39ebf9057c6227280 ( 17920 bytes)


		bd78e6a8d658a288e609a714a0c26764 ( 17920 bytes)


		df409d3a1a1047fb8a9dbcda8a3ea76e ( 17920 bytes)


		e0c1dc2770ed34ad40879d2d6b7afb0b ( bytes)


		e1600bb1477f16b7f96cbf7fee5e6bf2 ( 17920 bytes)


		e49918ea2dfe9363ab0b00aa71d624c4 ( bytes)


		f9e33dadb0cf731f3f33e089034252c3 ( 17920 bytes)


		fe2eeb782f6b9ba9a1496061386a7560 ( bytes)


		fed0e15596a796ea126b1f846f478342 ( bytes)

Also creates the following files on user's System which are also created by Genuine Software :-

Note:

These file(s) can be kept as they are also created by genuine Software.

File : user.dmp
Path : %allusersprofile%\application data\microsoft\dr watson
Md5Hash :( bytes)

File : desktop.ini
Path : %homepath%\my documents
Md5Hash :869cba0364c55b0c6524419a8b86df88 ( 83 bytes)

File : 1532c.dmp
Path : %temp%
Md5Hash :d41d8cd98f00b204e9800998ecf8427e ( 0 bytes)

File : 156c6.dmp
Path : %temp%
Md5Hash :d41d8cd98f00b204e9800998ecf8427e ( 0 bytes)

The following Registry Values are added to the provided Registry Keys :-

Note:

Delete the added Values from the Key to remove Infection

Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

|__ Value Added :

services = ""%windir%\system32\1d060819\services.exe""

The following Registry Values are added to the provided Registry Keys which are also created by Genuine Software :-

Note:

These Values can be left as they are also created by legitimate Software :-

Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson

|__ Value Added :

numberofcrashes

Creates the following child process(s) on execution:

%windir%\system32\1d060819\services.exe

%windir%\system32\dwwin.exe -x -s 1416

services.exe

%windir%\system32\ping.exe c

Creates the Following MUTEX(s) on user's System:-

[w32.trafox.a]

raspbfile

Copies the Following Files to Given Location :-

Copies :%workingdir%\[random name].exe

To : %windir%\system32\1d060819\services.exe

NOTE:

1. %temp% Refers to the windows temp folder. By default it is 'C:\Documents and Settings\[user]\Local Settings\Temp'
2. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
3. %workingdir% Refers to the current directory in which user is working.
4. %allusersprofile% Refers to the windows all users profile folder. By default it is 'C:\Documents and Settings\All Users'
5. %homepath% Refers to the windows current user's profile folder. By default it is 'C:\Documents and Settings\[user]'

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.