How to Cope with Dloader.HDZD / Sohanad Virus

By padmajani on May 3rd, 2008

Dloader.HDZD virus is a variant from Sohanad which comes from Vietnam. This virus will block some utility windows functions, like Task Manager, Registry Editor, Folder Options, MS Config and Command Prompt so that it’s so hard to heal it. By using YM (Yahoo Messenger), it will spread itself so the computer will activate YM and send messages in Vietnamese language. There is a link to download and run the virus to free hosting site 0catch.com in the address of http://nhatquanglan1.0catch.com.

The characteristics of the virus file are:

· Using folder icon

· Has a file sized 249 KB (254.464 Byte)

· File type is “application”

· Using“.exe”

Effects coming after your computer infected by Dloader.HDZD:

· Blocking some windows functions, such as Task Manager, Registry Editor, Folder Options.

· Close/ turn off windows function, like System Configuration Utility / MSConfig, and Command Prom if you run it.

· Making Schedule tasks in the Windows with making 2 file job (at1.job & at2.job); therefore, it will execute virus file every day at 09.00 a.m.

· Sending messages in Vietnamese language, there is a link to download virus file (has been not active) to all of your contact address in the Yahoo Messenger every some times. The examples of these messages are:

a. E may, vao day coi co con nho nay ngon lam http://nhatquanglan1.0catch.com

b. Vao day nghe bai nay di ban http://nhatquanglan1.0catch.com

c. Biet tin gi chua, vao day coi di http://nhatquanglan1.0catch.com

d. Trang Web nay coi cung hay, vao coi thu di http://nhatquanglan1.0catch.com

e. Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan.. Ve dau toi biet di ve dau? http://nhatquanglan1.0catch.com

f. Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa… http://nhatquanglan1.0catch.com

g. Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi… http://nhatquanglan1.0catch.com

h. Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo… http://nhatquanglan1.0catch.com

i. Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon… http://nhatquanglan1.0catch.com

· Link message that’s made by the virus will influence the user to click a link to a website (this website can not be accessed/ banned by the owner of this free hosting web). If the user enters the website and it’s active, automatically you will download virus file.

If the virus succeed to infect, it will make some virus files, such as:

· C:\WINDOWS\SSCVIIHOST.exe

· C:\WINDOWS\system32\autorun.ini

· C:\WINDOWS\system32\setting.ini

· C:\WINDOWS\system32\blastclnnn.exe

· C:\WINDOWS\system32\SSCVIIHOST.exe

· \autorun.inf (pada usb/removable drive)

· \New Folder.exe (pada usb/removable drive)

In order to be active when the computer runs, the virus will make string registry, such as:

· HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo Messengger = C:\WINDOWS\system32\ SSCVIIHOST.exe

· HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Winlogon

Shell = Explorer.exe SSCVIIHOST.exe

· HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo Messengger = C:\WINDOWS\system32\ SSCVIIHOST.exe

To block some windows functions, the virus will make string, such as :

· HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer

NoFolderOptions = 1

· HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ System

DisableTaskMgr = 1

· HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ System

DisableRegistryTools = 1

In order to be active and exploit schedule task, the virus will make string, like:

· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule

AtTaskMaxHour = 0

To facilitate spreading process in the network, the virus will make string:

· HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ WorkgroupCrawler\Shares

Shares = \New Folder.exe

Beside relying on YM, Dloader.HDZD exploits “Flashdisk or “Floppydisc”. It also exploits autoplay windows system so that it can be active automatically every the Flash Disk is plug in to the computer. These files are :

· autorun.inf

· New Folder.exe

Website Banned Efectivity

Will website banned be the last thing in the spreading of Sohanad ? A banned link to download the virus will kill this virus variant effectively, but virus maker will upload new virus variant to other websites and influence the user to download to this link.

Because of that, YM users should be careful. Don’t click a link which’s sent by your friends after you’re really sure that this link is save. Actually, your friend does not send it, but the virus which infects the computer does it.

IF your computer does not use Yahoo Messenger, the virus will copy paste the message link in an active Office program, so the user will click the link:

The ways to clean Dloader.HDZD virus:

· Cleaning the computer through safe mode.

· Kill the virus process. Use a tool as the task manager substitution, like Itty Bitty Process Manager

· Kill the process in the some active virus files:

a. C:\WINDOWS\system32\SSCVIIHOST.exe

b. C:\WINDOWS\SSCVIIHOST.exe (if it’s active)

c. C:\WINDOWS\system32\blastclnnn.exe (if it’s active)

d. New Folder.exe (if it’s active)

· Erase registry string which’s made by the virus. In order to make it’s easier, you can use script registry below:

[Version]

Signature=”$Chicago$”

Provider=Vaksincom Oyee

[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del

[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”

HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”

HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”

HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”

HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “”%1″”"

HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”

[del]

HKCU, Software\Microsoft\Windows\CurrentVersion\Run, Yahoo Messengger

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares, Shared

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr

HKLM, SYSTEM\CurrentControlSet\Services\Schedule, AtTaskMaskHour

HKU, .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run, Yahoo Messengger

Use notepad, then save the file, named “Repair.inf” (Change Save As Type into All Files, so there’s no error). Run repair.inf by clicking the right button, then install it. It’s better if you make repair.inf file in the cleaned computer; therefore, the virus will not be active again. This is a link “Repair.inf” to download Dloader.HDZD :

http://www.4shared.com/file/47525698/d650cf29/Repair_Dloader-HDZD.html?dirPwdVerified=90ad42df

· To kill Dloader.HDZD virus, use Norman Malware Cleaner to scan your computer. You can download it at: http://download.norman.no/public/Norman_Malware_Cleaner.exe

· Use updated Norman Virus Control to clean the virus optimally because this antivirus has known it (source: antivirus.com )

You can also subscribe here to get this site update in your email.
Enter your email address:
« New Design of One Laptop per Child Internet Movies Goes to TV »

Leave a Reply

You can use these XHTML tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>