SOHANAD may be an old malware family but it still remains a prevalent threat in the Asia/Pacific region. WORM_SOHANAD is created using an AutoIt script, a freeware scripting language for MS Windows. The said script will then be converted or compiled into a Win32 executable (.PE file) using the UT2EXE tool in order to become the malware’s final build. Aside from SOHANAD, other malware such as worms SILLY, YAHLOVER, AUTORUN, and IMAUT are also created via AutoIt script.

Nhatquanglan: A Common SOHANAD Threat in Southeast Asia and India

Most SOHANAD variants originated from several Southeast Asian countries like Vietnam (Nhatquanglan and ViRuSLoVeHD), India (Khatarnak), the Philippines (Funny_UST_Scandal), and Indonesia (VirusBenci). Nhatquanglan remains as the most common SOHANAD variant in Southeast Asia and India. It may arrive in the system via the following vectors:

• Web (as downloaded malware)
• Yahoo! Messenger v8.0 and below
• Network shared folders/drives
• Removable media (i.e. USB, flash memory cards, etc.)

Similar to other SOHANAD variants, Nhatquanglan also spammed messages with malicious links to the affected user’s instant messenger (IM) contacts. Some of these messages are even written in Vietnamese.

Bo oi! Co biet gi chua ha?Cai nay hay lam a nha http://www.{BLOCKED}vantinhyeu.info Loi to tinh dau tien cua tui : ) http://www.{BLOCKED}vantinhyeu.info cau noi hay nhat danh cho 2 nguoi iu nhau http://www.{BLOCKED}vantinhyeu.info Biet yeu la sai lam, sao ta cu yeu dai kho http://www.{BLOCKED}vantinhyeu.info Lan dau tien len…giuong =)) =)) http://www.{BLOCKED}vantinhyeu.info

The Dangers and Risks SOHANAD Poses

When executed in the system, SOHANAD disables the Registry Editor and the Windows Task Manager. It also modifies the affected user’s homepage and terminates certain processes related to antivirus programs. In addition, it sends enticing messages with malicious URLs to the user’s contacts. When the affected user’s contacts click the link, they, too, will be infected with SOHANAD.

Why Is It a Persistent Threat?

The cybercriminals behind SOHANAD leverage AutoIt for malware creation. This could be the reason why SOHANAD continues to be very rampant. It (AutoIT) can be easily modified and updated. Hence, SOHANAD is able to deploy multiple variants at a time. In addition, AutoIt is easy to use. It is similar to the creation and modification of a batch file to automate a malware’s malicious activities. As of this writing, some samples of SOHANAD scripts have already fallen into the hands of script kiddies.

One of the notable characteristics of SOHANAD is its ability to actively update itself. It continues to update its binaries while lurking in the process space of the affected system. SOHANAD also keeps downloading a file called SETTING.INI from several malicious websites. SETTING.INI contains all the updated information and may vary from time to time. Based on the collected samples, SOHANAD is capable of updating itself every two hours. The update frequency may also vary, depending on the latest downloaded SETTING.INI configuration. What is most alarming here is that detection and cleanup solutions may prove ineffective if a malware like this keeps on updating itself and its behavior.

User Protection

With that in mind, file detection alone is not sufficient to stop a continuously changing threat like SOHANAD. Users need a powerful security product like the Smart Protection Network™, which blocks all malicious URLs to prevent users from getting infected.