The last notable Sohanad variant, WORM_SOHANAD.U, was detected last February. It rode on the popularity of the Windows Vista release for its social engineering tactic. The current Sohanad spreading in the wild, however, is using a more “classic” Sohanad trick. Detected late last May as WORM_SOHANAD.BO, this particular variant is propagating via instant messages in Vietnamese.
Late last year when the shift in the threat landscape was just beginning to be accepted industry-wide, specialized threats like WORM_SOHANAD variants carrying Viet pop culture references and written in Vietnamese, of course, helped cement a distinguishing characteristic of the rising group of threats. This rising group is more target-specific. While they execute regular worm routines like propagation and backdoor capabilities, their social engineering tactics heralded the coming of more customized threats.
This brings us back to WORM_SOHANAD.BO. It does the usual Sohanad tricks down to disabling Task Manager and Registry Editor. The appearance of another variant from this particular malware family seemingly promises to continue what previous variants have started, which makes sense for a family that figured considerably in the shaping of the current Web threat trend.