The worm can disable certain Windows functionalities and, in some cases, it can hijack the browser Internet Explorer homepage and other registry keys. The worm is also used for download other malware or other programs that can steal credit cards and personal information.

It is also able to spread itself not only by Yahoo Messengers but also by infecting removable devices such as USB flash and hard drives. The worm can copy itself on the removable device and using the file autorun.ini it can infect every computer where will be inserted the removable device and that have the Autorun option enabled.

The worm can performs these actions:

• Copy itself to system32 or windows folder
• Spread itself by sending spam messages on Y! Messenger Contacts
• Spread itself by infecting removable devices
• Disable important functionalities of Windows
• Download other malware
• Identity theft
• Credit Card and Bank accounts theft

The worm can drop itself in the system using these file names:

1
2
3
4
5
6
7
8
9
10
11

C:\WINDOWS\sclhosts.exe
C:\WINDOWS\scvhosts.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\chrome.exe
C:\WINDOWS\system32\yahoooo.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\chrome.exe
C:\WINDOWS\system32\chrome.exe
C:\WINDOWS\ffoxer.exe
C:\WINDOWS\foxr.exe

It installs the following registry key to ensure it starts up with Windows:

1

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger

In some cases the worm disabled also TaskManager and Regedit by changing these registry values:

1
2
3
4

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableTaskMgr (1)
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools (1)

The worm disabled the option to “Show hidden files” in Windows so it can stay hidden from explorer search:

1
2

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\
Hidden\ShowAll (0)

The worm disabled the option to execute a System Restore to roll back to a good situation by changing this registry values:

1
2
3
4

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\
DisableSR (1)
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\
LimitSystemRestoreCheckpointing (1)

Other detections generated by other Antivirus are:

IM-Worm.Win32.Sohanad
IM-Worm.Win32.AutoIt.g
WORM_SOHANAD
W32.Imaut
W32/Sohana-AH

How to remove Worm.Win32.Sohanad ?

1) Kill malicious running processes associated with the worm
2) Delete malicious files
3) Delete malicious registry keys
4) Restore all the disabled functionalities of Windows
5) Check with your credit card company to see if your missing any money

You can use the following script to re-enable the functionalities of Windows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
"ShowAll"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
"LimitSystemRestoreCheckpointing"=dword:00000000

The script will perform these actions:

1) Enable Task manager
2) Enable Regedit
3) Enable SystemRestore
4) Enable Show Hidden Files option

Save the script as restore.reg and double click it.

You can also scan your system with NoVirusThanks Malware Remover to detect and remove other unwanted applications.