Worm.Sohonad

Worm.Sohonad is a part of a family of worms that usually spread via removable drives and specific instant messenger programs. This worm can easily modify system settings in order to connect to the Internet behind the user’s back. Worm.Sohonad does so in order to contact a remote host and then receive instruction on further malware behavior.

Worm.Sohonad is a cunning infection, because it copies itself to files that strongly resemble legitimate system files, even though they are not. For example, scvhosts.exe or blastclnnn.exe found in a system folder (System 32 that is present in various locations, depending on which version of Windows you’re running on). Worm.Sohonad makes use of the Yahoo Messenger’s name to spread itself as it adds a value “Yahoo Messenger” into the system registry upon the installation, with the auto run subkey. As a result Worm.Sohonad runs automatically at every system boot.

Worm.Sohonad also creates various files on the infected system, including autorun.ini that is detected as a separate piece of malware on its own – Worm:Win32/Autorun!inf. This worm is able to create a schedule Windows task, and run it at 9AM every single day.

The most common way for Worm.Sohonad to spread is via Windows Live Messenger (although it is not unusual for the worm to exploit Yahoo Messenger, AIM and Google Talk as well). The worm simply sends a message with a link to its own copy to everyone on the infected user’s contact list. It can also infect you through network shares and removal USB flash drives. Once it’s in, Worm.Sohonad makes a list of system modifications and terminates processes that would tamper the infection. Then it contacts a list of remote hosts as setting3.9999mb.com, www.freewebs.com, setting3.yeahost.com and so on.

Even though Worm.Sohonad does not infect system files directly, it causes a lot of problems with the system performance. For example, it removes Folder Options item from Windows explorer menus and the Control Panel. It also forces the Internet Explorer to start in an online mode and it can easily disable the Task Manager by performing registry modifications.

Needless to say, clean system is the best, and you can achieve that by removing Worm.Sohonad from your computer ASAP. Try acquiring a legitimate antimalware tool that will help you to destroy Worm.Sohonad automatically, because manual worm removal is a tedious business not recommended to inexperienced computer users. Time is essential in this case, so do not waste it – remove Worm.Sohonad right now!