Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: Shoho outbreak--New worm, old tricks

From: David Farber <dave () farber net>
Date: Fri, 21 Dec 2001 15:23:14 -0500


Date: Fri, 21 Dec 2001 12:14:13 -0800
From: Ari Ollikainen <Ari () OLTECO com>
Subject: Shoho outbreak--New worm, old tricks
X-Sender: ari () mail olteco com
To: farber () cis upenn edu

        'tis the season for email worms and virii, apparently:

Shoho outbreak--New worm, old tricks

By Robert Vamosi
ZDNet Reviews
December 20, 2001 4:41 PM PT

Yet another worm has cleverly taken advantage of a well-publicized
and already patched vulnerability in Internet Explorer by offering an
e-mail message that sounds legitimate to frequent Internet users.


On some systems, Shoho (w32.Shoho.a@mm, alias Welyah) will launch itself
when the infected e-mail is previewed or viewed. Shoho also uses its own SMTP engine, as SirCam does, to send out copies of itself to e-mail addresses found in the Outlook Address book and other address files. However, Shoho deletes some Windows files and can cause a general protection error on some systems upon reboot.
Because of the potential for excess e-mail and file damage, Shoho currently ranks a 6 on the ZDNet Virus Meter. 

How it works
Shoho arrives as e-mail with a subject line that reads "Welcome to Yahoo! Mail." 

The body text reads as follows:

        This messages a character set that is not supported by the
        Internet Service. To view the original message content, open
        the attached message. If the text doesn't display correctly,
        save the attachment to disk, and then open it using a viewer that
        can display the original character set.
The attached file, readme.txt, is not really a text file but a forged EXE file that contains the malicious code.
If a user opens the attached file, Shoho copies itself to the Windows directory as Winl0g0n.exe and adds a line to the Registry in order to run every time Windows is started.
Shoho also adds the following files to an infected computer to the C:Windows subdirectory: 

email.txt
emailinfo.txt
drwatson
drwatsonframe.htm
winl0g0n.exe
The worm will attempt to delete the following files from the C:Windows subdirectory: 

1stboot.bmp
asd.exe
cleanmgr.exe
clspack.exe
control.exe
cvtaplog.exe
defrag.exe
dosrep.exe
drwatson.exe
drwatson
drwatsonframe.htm
emm386.exe
himem.sys
hwinfo.exe
jautoexp.dat
kacheln.bmp
kreise.bmp
license.txt
logos.sys
logow.sys
moricons.dll
nddeapi.dll
nddenb.dll
netdet.ini
ramdrive.sys
runhelp.cab
script.doc
setup.bmp
smartdrv.exe
streifen.bmp
suback.bin
support.txt
telephon.ini
w98setup.bin
wellen.bmp
win.com
win.ini
winsock.dll
Deletion of the above files may result in a general protection failure the next time the computer is rebooted. 

Prevention
Patch or upgrade your Internet Explorer to avoid the "Automatic execution of embedded MIME types" vulnerability. Users of IE 5.01 will need to download security bulletin MS01-020 from Microsoft.
Users can also upgrade to IE 5.5 SP2 or IE 6.0, if they choose a full install. Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe. Users who have not upgraded to Outlook 2002 or who have not installed the Outlook 98 Security Patch or the Outlook 2000 Security Patch should do so.
In general, do not open attached files in e-mail until you've saved them to the hard disk and scanned them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signatures. 

Removal
A few antivirus software companies have updated their signature files to include this worm. These updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see F-Secure, Kaspersky, McAfee, Sophos, and Trend Micro. 

 _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
 You can't depend on your judgement when your imagination is out of focus.
                                                          -- Mark Twain.
 _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

       OLTECO                    Ari Ollikainen
       P.O. BOX 20088            Networking Architecture and Technology
       Stanford, CA              Ari () OLTECO com
       94309-0088                415.517.3519


For archives see:
http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: