[Malware Review] Win32.Worm.Sohanad.NAW - the malicious friend you talk to on Yahoo Messenger

Initially discovered on November 2007, Win32.Worm.Sohanad.NAW is a self-spreading e-threat able to download files from remote locations and stealthily execute them on the infected machine. The worm is extremely aggressive in terms of self-replication, as it features no less than three distinct methods of infecting new systems: by sharing itself on the local network, by infecting any removable storage device plugged into the infected computer and by sending enticing messages to all the Yahoo Messenger contacts of the infected YIM user.

One of the first signs that the system has been infected is computer slowdown and intense Internet activity, as worms consume most of the bandwidth in order to replicate themselves over the
network. Win32.Worm.Sohanad.NAW tampers with the Windows Registry in order to prevent the user from accessing the Task Manager, Regedit and Folder Options, and also adds a new registry entry in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon in order to register itself at every Windows restart.

In order to infect as many computers as possible, the worm drops copies of itself on all removable or mapped drives, along with an autorun.inf file that automatically executes these copies when these drives are accessed.

Other variants of Win32.Worm.Sohanad.NAW are able to create scheduled tasks using the Microsoft Job Scheduler to execute itself every day at 9:00 AM starting on the day it is first executed.

In order to stay safe and fully enjoy your Internet experience, BitDefender recommends that you install and regularly update an anti-malware suite with anti-virus, anti-spam, anti-phishing
and firewall modules.

Information in this article is available courtesy of BitDefender virus researcher George Cabau.