W32/Sohanad.U Worm

 Information about the W32/Sohanad.U Worm:

W32/Sohanad.U is a worm. The worm will infect Windows systems and spreads through instant messaging applications.

This worm may arrive via instant messaging applications, specifically Yahoo! Messenger and Windows Live Messenger/Windows Messenger.

This worm message may send any one of the following messages through instant messaging applications.

Yahoo to charge fee for its YM service http://[BLOCKED].com/?id=ym
DIY dynamite from Whisky, Coke and Mentos : http://[BLOCKED].com/?id=dynamite
Breaking news : Osama Bin Laden has been arrested !! http://[BLOCKED].org/?news_id=18388
Fuck !!! X-( http://[BLOCKED].com/?id=password
OMG ! She is really beautiful :x http://[BLOCKED].com/DSC00273.JPG
making money online never be easier : http://[BLOCKED].org/?id=tips >:D<
This ismy one-off Xmase-card for you ^_^ http://[BLOCKED].com/?id=ecard =))
Vote for our Miss beauty today !!! http://[BLOCKED].org/?id=miss_world :x:x:x:x:xwtf is t
I made 10 gifts for the first 10 people post comments on my own page : http://[BLOCKED].com ^_^
his ? wanna give me a shit ? http://[BLOCKED].org/?id=news X-(
My new personal website: http://[BLOCKED].com c0ol !!!
Microsoft to release 2007 free-of-charge packs of Winsdows Vista for its first 2007 online registered users: http://[BLOCKED].org/?id=ms
Be careful. There'll be earthquake tonight !!! http://[BLOCKED].org/?id=warning

When the user clicks the link mentioned in the message a copy of this worm gets executed.

Upon execution, the worm copies itself as svchost.exe and svhost32.exe in Windows folder.

It modifies the registry at the following location to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm tries to download a file from the following link:

http://64.[BLOCKED]5/zun.exe

This worm first appeared on February 1, 2007.

 Other names of W32/Sohanad.U Worm:

This Worm is also known as WORM_SOHANAD.U .