find us on facebook!
 

Shoho outbreak--New worm, old tricks


December 20, 2001

On some systems, Shoho (w32.Shoho.a@mm, alias Welyah) will launch itself when the infected e-mail is previewed or viewed. Shoho also uses its own SMTP engine, as SirCam does, to send out copies of itself to e-mail addresses found in the Outlook Address book and other address files. However, Shoho deletes some Windows files and can cause a general protection error on some systems upon reboot.

Because of the potential for excess e-mail and file damage, Shoho currently ranks a 6 on the ZDNet Virus Meter.

How it works
Shoho arrives as e-mail with a subject line that reads "Welcome to Yahoo! Mail."

The body text reads as follows:

    This messages a character set that is not supported by the Internet Service. To view the original message content, open the attached message. If the text doesn't display correctly, save the attachment to disk, and then open it using a viewer that can display the original character set.

The attached file, readme.txt, is not really a text file but a forged EXE file that contains the malicious code.

If a user opens the attached file, Shoho copies itself to the Windows directory as Winl0g0n.exe and adds a line to the Registry in order to run every time Windows is started.

Shoho also adds the following files to an infected computer to the C:Windows subdirectory:

    email.txt
    emailinfo.txt
    drwatson
    drwatsonframe.htm
    winl0g0n.exe
The worm will attempt to delete the following files from the C:Windows subdirectory:

    1stboot.bmp
    asd.exe
    cleanmgr.exe
    clspack.exe
    control.exe
    cvtaplog.exe
    defrag.exe
    dosrep.exe
    drwatson.exe
    drwatson
    drwatsonframe.htm
    emm386.exe
    himem.sys
    hwinfo.exe
    jautoexp.dat
    kacheln.bmp
    kreise.bmp
    license.txt
    logos.sys
    logow.sys
    moricons.dll
    nddeapi.dll
    nddenb.dll
    netdet.ini
    ramdrive.sys
    runhelp.cab
    script.doc
    setup.bmp
    smartdrv.exe
    streifen.bmp
    suback.bin
    support.txt
    telephon.ini
    w98setup.bin
    wellen.bmp
    win.com
    win.ini
    winsock.dll

Deletion of the above files may result in a general protection failure the next time the computer is rebooted.

Prevention
Patch or upgrade your Internet Explorer to avoid the "Automatic execution of embedded MIME types" vulnerability. Users of IE 5.01 will need to download security bulletin MS01-020 from Microsoft.

Users can also upgrade to IE 5.5 SP2 or IE 6.0, if they choose a full install. Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe. Users who have not upgraded to Outlook 2002 or who have not installed the Outlook 98 Security Patch or the Outlook 2000 Security Patch should do so.

In general, do not open attached files in e-mail until you've saved them to the hard disk and scanned them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signatures.

Removal
A few antivirus software companies have updated their signature files to include this worm. These updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see F-Secure, Kaspersky, McAfee, Sophos, and Trend Micro.

By Robert Vamosi, ZDNet Reviews. Copyright © 2001 CNET Networks, Inc.


« Back to the news list

 
(c) EMMA Labs, 2016 | No Spam Policy