We all are familiar with IM worms and how they used different techniques in order to be downloaded and executed into a target machine.One of which is the WORM_SOHANAD (a.k.a worm_sohanat, worm_imaut, worm_autoit) which leverages on the MS06-014 MDAC vulnerability. There’s a previous blog entry regarding this malware here.

Today, I would like to show another twist of the social engineering used by this malware. This time the malware utilizes a fake Google page (shown below) where the hyperlinks found in the page points to the same web page and also contains a link to the malware itself.



As we can see on the web page, it says that we have to download an add-on which is actually a malware. Checking the source code of the page, we have three obfuscated scripts.





Which when deobfuscated results to:







The files “home.exe” and “zun.exe” are the same; Trend Micro already has detection as WORM_SOHANAT.CO while the other binary, “zin.exe”, is detected as WORM_VB.EIQ.

Another to note is that it appends some entries into the target user’s “hosts” file. This will result into being redirected to the malware web page upon accessing the web site listed.



Malware authors constantly modify or add malware techniques in order for their malware to get executed into the vulnerable users’ machines. However, users can be able to secure themselves from threats like this by applying security patches and updating their anti-virus signatures.