Sohanad.AE is a worm. The worm will infect Windows systems and spreads through Yahoo! Messenger, a popular instant messaging application.
The worm arrives as a downloaded file via Yahoo! Messenger.
Upon execution, this worm copies itself as SVHOST32.EXE and SVHOST.EXE in the Windows folder.
The worm modifies registry at the following location to load itself during each startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It also creates the following registry keys to modify the settings of Yahoo! Messenger.
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast
The worm also modifies the registry to disable Registry Editor and Task Manager.
It also changes the Internet Explorer (IE) home page to;
http://(BLOCKED)coolpics.net
This worm propagates via Yahoo! Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is downloaded and executed on the recipients' system.
The details of the message sent out by this worm are;
It also attempts to connect to the following website to download and execute some malicious files.
http://{BLOCKED}vey-sales.com/ipn/transactions/en.exe
http://{BLOCKED}vey-sales.com/ipn/transactions/link-en.exe
The worm tries to terminate some of the security related processes.
what is Sohanad.AE
