Shoho outbreak--New worm, old tricks
December 20, 2001
On some systems, Shoho (w32.Shoho.a@mm, alias Welyah) will launch itself when the infected e-mail is previewed or viewed. Shoho also uses its own SMTP engine, as SirCam does, to send out copies of itself to e-mail addresses found in the Outlook Address book and other address files. However, Shoho deletes some Windows files and can cause a general protection error on some systems upon reboot.
Because of the potential for excess e-mail and file damage, Shoho currently ranks a 6 on the ZDNet Virus Meter.
How it works
Shoho arrives as e-mail with a subject line that reads "Welcome to Yahoo! Mail."
The body text reads as follows:
- This messages a character set that is not supported by the Internet Service. To view the original message content, open the attached message. If the text doesn't display correctly, save the attachment to disk, and then open it using a viewer that can display the original character set.
The attached file, readme.txt, is not really a text file but a forged EXE file that contains the malicious code.
If a user opens the attached file, Shoho copies itself to the Windows directory as Winl0g0n.exe and adds a line to the Registry in order to run every time Windows is started.
Shoho also adds the following files to an infected computer to the C:Windows subdirectory:
Deletion of the above files may result in a general protection failure the next time the computer is rebooted.
Patch or upgrade your Internet Explorer to avoid the "Automatic execution of embedded MIME types" vulnerability. Users of IE 5.01 will need to download security bulletin MS01-020 from Microsoft.
Users can also upgrade to IE 5.5 SP2 or IE 6.0, if they choose a full install. Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe. Users who have not upgraded to Outlook 2002 or who have not installed the Outlook 98 Security Patch or the Outlook 2000 Security Patch should do so.
In general, do not open attached files in e-mail until you've saved them to the hard disk and scanned them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signatures.
A few antivirus software companies have updated their signature files to include this worm. These updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see F-Secure, Kaspersky, McAfee, Sophos, and Trend Micro.
By Robert Vamosi, ZDNet Reviews. Copyright © 2001 CNET Networks, Inc.