On 02 June 2008 7:26 PM PST, one of our analysts came across a malware detection for a file found inside a regionally popular legitimate site. A legitimate site will never host malware on purpose, so it seemed but proper to dig deeper into the story.
It appears that instead of setting up some highly sophisticated SQL or XSS attack, which has been all the fare last May, the malicious user took a much more barefaced (and simpler) route: he/she uploaded the file via the site’s restricted access forum file upload feature.
The file is detected by our scanners as WORM_SOHANAD.CO (since 03 September 2007). It spreads via instant messaging applications and via removable drives. It disables Task Manager, executes at each system startup, and drops copies of itself on the infected PC.
Conceivably, it is also possible that this was just an unintended incident–if the user uploaded an infected file without knowing it. Also, given the fact that users have to log in, access the forums and download the file, this has nothing going for it in terms of large-scale damage. Note, however, that this worm is able to propagate via instant messengers, so the prospects are dim should users actually get curious about what the WORM_SOHANAD.CO poster has uploaded.
The important thing this incident reminds us is that no file can be trusted. That’s what your ever-trusty antivirus scanning engine is for. Never forget the basics. For Web admins, file upload features should be activated in conjunction with a good antivirus scanner to avoid inadvertently hosting infected files and broadening the attack vector for malware writers.
We have contacted CERT and the concerned site about our findings, and as of this writing, the infected file has been taken off the site.