Topic: W32/Hakaglan.worm.gen

[Amker]

Type
Virus
SubType
Worm
Discovery Date
05/15/2007
Length
varies
Minimum DAT
5031 (05/15/2007)
Updated DAT
5031 (05/15/2007)
Minimum Engine
5.1.00
Description Added
05/15/2007
Description Modified
05/16/2007


Overview -


W32/Hakaglan.worm is a worm written in AutoIT that spreads via Yahoo Messenger, removable drives and network shares
Aliases
IM-Worm.Win32.Sohanad.t (Kaspersky)
W32.Yautoit (Symantec)
W32/Sohana-R (Sophos)
Win32/YahLover.AO (CA)
Worm/Sohanad.NAK (Antivir)
Characteristics -


W32/Hakaglan.worm is a worm written in AutoIT that spreads via Yahoo Messenger, removable drives and network shares


Upon execution the worm drops the following files:
%WINDIR%\SSVICHOSST.exe -> Worm Component
%SYSDIR%\SKCVHOSThk.dll  ->  Keylogger Component
%SYSDIR%\SKCVHOST.exe    ->  Keylogger Component
%SYSDIR%\SKCVHOSTr.exe   ->  Keylogger Component

Creates the following registry keys to hook at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
“Shell” =” Explorer.exe SSVICHOSST.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
“Yahoo Messengger”  = “%SYSDIR%\ SSVICHOSST.exe”

The worm creates a job file (At1.job) which schedules to execute itself everyday at 09:00 hrs.

Modifes the following registry keys to hide folder options and disable the taskmanager, registry editing etc.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NofolderOptions"= “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr"=”1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableRegistryTools"=”1”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\
"AtTaskMaxHours" =”0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\
"shared"="\\[SHARES]\New Folder.exe"
Symptoms -


Ends the following processes and closes applications if the window title has:
[FireLion]
Bkav2006
System Configuration
Registry
Windows Task
cmd.exe

Attempts to delete following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run="BkavFw"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run=”IEProtection"

Downloader Component:

The worm connects to the following domains to download updated variants of itself and additional malware.

http://nhatquan[BLOCKED].t35.com/
http://nhatquan[BLOCKED].t35.com/
http://nhatquan[BLOCKED].t35.com/
http://nhatquan[BLOCKED].t35.com/


At the time of writing this description, variants of KeyLog-Perfect.dll, Keylog-Perfect and Generic ProcKill.c were observed to be downloaded.

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
Method of Infection -

The worm spreads through passing any of the above links pointing to a hosted copy of the worm to all users listed in infected person’s yahoo buddy list.

Victims typically get infected when they download and execute the spammed copy of the worm.

It also spreads via network shares and removable drives.
Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

[Samker]

*Since We have a lot of Visitis related to remove Hakaglan, We will provide you all posible solutions to clean this Malware.

- W32/Hakaglan.worm is a worm written in AutoIT that spreads via Yahoo Messenger, removable drives and network shares
- Aliases: IM-Worm.Win32.Sohanad.t (Kaspersky) W32.Yautoit (Symantec) W32/Sohana-R (Sophos) Win32/YahLover.AO (CA) Worm/Sohanad.NAK (Avira)

- Removal method:
1. Check your AntiVirus (which one is, is it updated and did you make full scan of your PC (after update).

2. If you can't clean worm with this way, reinstal your AV and download & instal one off this AV: McAfee or Kaspersky (here at SCForum.info we provide you link to latest downloads, just check right section) and go again at step 1.

3. Don't forget to turn off System Restore at your PC.

4. Also here is a solution for "handy" cleaning this Malware:

"Enabling The Registry Editor and Task Manager

This malware disables the Registry Editor. To restore the said system tool, perform the following instructions:

Open Notepad. Click Start>Run, type Notepad, then press Enter.
Copy and paste the following:
On Error Resume Next
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("scripting.FileSystemObject")
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
shl.RegDelete
 
Save this file as C:\RESTORE.VBS.
Click Start>Run, type C:\RESTORE.VBS, then press Enter.
Click Yes at the prompt of the message box.
Terminating the Malware Program

This procedure terminates the running malware process.

Open Windows Task Manager.
• On Windows 98 and ME, press
CTRL+ALT+DELETE
• On Windows NT, 2000, XP, and Server 2003, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the process:
RVHOST.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.

--------------------------------------------------------------------------------
*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.
On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003
Removing Autostart Entry from the Registry

Removing the autostart entry from the registry prevents the malware from executing at startup.

If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Yahoo Messengger = "%System%\RVHOST.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)-->
Removing Other Entry from the Registry

Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>
CurrentVersion>Policies>Explorer
In the right panel, locate and delete the entry:
NofolderOptions = "1"
Restoring Modified Entries from the Registry

Still in Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
CurrentVersion>Winlogon
In the right panel, locate the entry:
Shell = "Explorer.exe RVHOST.exe"
Right-click on the value name and choose Modify. Change the value data of this entry to:
Explorer.exe
In the right panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Services>Schedule
In the right panel, locate the entry:
NextAtJobId = "2"
Right-click on the value name and choose Modify. Change the value data of this entry to:
1
Close Registry Editor.
Deleting the Malware File(s)

Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
In the Named input box, type:
AT1.JOB
In the Look In drop-down list, select My Computer, then press Enter.
Once located, select the file then press SHIFT+DELETE.
Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s)."

***If you, after this all steps still have problem with Hakaglan go and post Your problem in Our HELP section, direct link is in my Signature (right belowe this post).***

[assmaa nagy]

thanks for the marvellous script it is a magic.

the problem is now a history on the PCs using XP but i still face problems on the win NT4 machines as the script doesn't run on them, please advice

[Samker]

thanks for the marvellous script it is a magic.

the problem is now a history on the PCs using XP but i still face problems on the win NT4 machines as the script doesn't run on them, please advice

Assmaa Nagy, Welcome to Comunity & Thank You for your nice words.

You will also need to provide us more details and specific description how PC now work:

Please download & run HijackThis: http://scforum.info/index.php/topic,785.0.html

After that please start a new topic inside HELP CENTER with all posible details related to that error and also provide us a log from HijackThis (just simple copy-paste) so we take a look what's a problem: http://scforum.info/index.php/board,16.0.html

bye,

Samker

[dheivasigamani]

Dear, am facing the problem last 3 days, i need ur help. per example the folder name is ( mani ) inside the folder it is creating mani & each and every folder it is creating another folder in the same name.. can u ple help out...

regards,
dheiva sigamani.b

[dheivasigamani]

hai..

[medz]

please help
I have clean my pc with your instructions.
but how to clean or delete worm: sohanad.NAK from flashdisk
thanks a lot

[Samker]

Dear, am facing the problem last 3 days, i need ur help. per example the folder name is ( mani ) inside the folder it is creating mani & each and every folder it is creating another folder in the same name.. can u ple help out...

regards,
dheiva sigamani.b

please help
I have clean my pc with your instructions.
but how to clean or delete worm: sohanad.NAK from flashdisk
thanks a lot

Hi medz & dheivasigamani.

Welcome to Community!

We will do our best to help you both.

Now, you will need to follow my instruction, so we can do that in a short time:

1. Go to our "Help Center" and start new topic related to yours problem: http://scforum.info/index.php/board,16.0.html

2. In that topic, provide us all possible details related to yours problems.

I'll be waiting yours reply.

bye,

Samker

P.S. (to medz)

Also, I'll suggest you to register, so you have enabled more SCforum options.

[Megha]

Hi,

I run the given script on my pc.
But it is giving Compilation Error.

Script: C:\RESTORE.VBS
Line: 4
Char:1
Error:Expected Statement
Code:800A0400
Source: Microsoft VBScript compilation error

Can anybody give solution of this problem.

Thanks,
Meghana

[Samker]

Hi,

I run the given script on my pc.
But it is giving Compilation Error.

Script: C:\RESTORE.VBS
Line: 4
Char:1
Error:Expected Statement
Code:800A0400
Source: Microsoft VBScript compilation error

Can anybody give solution of this problem.

Thanks,
Meghana

Hi Meghana.

Welcome to the SCF Community!

- Please go to our "Help Center" and start new topic related to yours problem: http://scforum.info/index.php/board,16.0.html

- In that topic, provide us all possible details related to yours problems.

I'll wait your reply.

bye,

Samker

P.S.

Also, it will be good idea for you to register and enable more SCforum options. For registration process you need only 10 sec.