Shoho outbreak--New worm, old tricks
December 20, 2001
On some systems, Shoho (w32.Shoho.a@mm, alias Welyah) will launch itself when the infected e-mail is previewed or viewed. Shoho also uses its own SMTP engine, as SirCam does, to send out copies of itself to e-mail addresses found in the Outlook Address book and other address files. However, Shoho deletes some Windows files and can cause a general protection error on some systems upon reboot.
Because of the potential for excess e-mail and file damage, Shoho currently ranks a 6 on the ZDNet Virus Meter.
How it works
Shoho arrives as e-mail with a subject line that reads "Welcome to Yahoo! Mail."
The body text reads as follows:
- This messages a character set that is not supported by the Internet Service. To view the original message content, open the attached message. If the text doesn't display correctly, save the attachment to disk, and then open it using a viewer that can display the original character set.
The attached file, readme.txt, is not really a text file but a forged EXE file that contains the malicious code.
If a user opens the attached file, Shoho copies itself to the Windows directory as Winl0g0n.exe and adds a line to the Registry in order to run every time Windows is started.
Shoho also adds the following files to an infected computer to the C:Windows subdirectory:
-
email.txt
emailinfo.txt
drwatson
drwatsonframe.htm
winl0g0n.exe
-
1stboot.bmp
asd.exe
cleanmgr.exe
clspack.exe
control.exe
cvtaplog.exe
defrag.exe
dosrep.exe
drwatson.exe
drwatson
drwatsonframe.htm
emm386.exe
himem.sys
hwinfo.exe
jautoexp.dat
kacheln.bmp
kreise.bmp
license.txt
logos.sys
logow.sys
moricons.dll
nddeapi.dll
nddenb.dll
netdet.ini
ramdrive.sys
runhelp.cab
script.doc
setup.bmp
smartdrv.exe
streifen.bmp
suback.bin
support.txt
telephon.ini
w98setup.bin
wellen.bmp
win.com
win.ini
winsock.dll
Deletion of the above files may result in a general protection failure the next time the computer is rebooted.
Prevention
Patch or upgrade your Internet Explorer to avoid the "Automatic execution of embedded MIME types" vulnerability. Users of IE 5.01 will need to download security bulletin MS01-020 from Microsoft.
Users can also upgrade to IE 5.5 SP2 or IE 6.0, if they choose a full install. Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe. Users who have not upgraded to Outlook 2002 or who have not installed the Outlook 98 Security Patch or the Outlook 2000 Security Patch should do so.
In general, do not open attached files in e-mail until you've saved them to the hard disk and scanned them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signatures.
Removal
A few antivirus software companies have updated their signature files to include this worm. These updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see F-Secure, Kaspersky, McAfee, Sophos, and Trend Micro.
By Robert Vamosi, ZDNet Reviews. Copyright © 2001 CNET Networks, Inc.