Infected with Sohanad-O virus

[phani kumar]

Hi.

My system (Win Vista) has been infected with Sohanad-O virus and the system
performance has become too slow.
Though Avast anti-virus has been installed and scanned, it shows no virus in
the system.
I cannot open registry editor, task manager, or anti-virus web sites to scan
online.
I am unable to work as most of applications keep crashing. It also has
spread to couple of other systems with WinXP too.
Even scanning in safe mode does not help and cannot open registry editor or
task manager in safe mode.
I cannot install any other anti-virus program as they are terminated. Even
page setup in Microsoft Word will close and word hangs up.
Checked up with ad-aware also, but says no ad-ware/spyware found.

Need urgent help please...
Thanks in advance

 

[Peter Foldes]

Sent to the public.security.virus group via crosspost

 

[BigJim]

It messes with the registry

 

[BigJim]

This is now the most common type of virus. It spreads as an attachment to an
e-mail sent from the infected computer. It is also able to spread by other
methods - copying itself to shared network disks in local network, sending
via IRC or as a file with some alluring name within a folder on a
"peer-to-peer" file sharing system.


E-mail content

E-mail message created by the virus is often suspect at first appearance -
it normally contains a few sentences in English trying to convince you that
you should open the attached file.

However this is not always the case - some viruses use text or parts of text
randomly taken from files within the infected computer and some even take
existing message from Inbox folder. They put this text within the e-mail and
attach the infected file and forward the virus on by e-mail.


Sender address

Latest viruses send e-mails with faked sender message header, so there is no
point in replying to it with notice about infection.

Also - if you are unlucky in that an I-worm randomly selects your e-mail
address to use in the "sender" header, you start to receive undeliverable
messages (that you never sent) or automatic messages from mail servers that
your e-mail messages are infected.


Outlook & Outlook Express

Because these mail clients are very popular, they act as a magnet for virus
writers to abuse their features or security holes. If you use one of these
mail clients it is recommended you keep it updated with security updates and
service packs released by Microsoft.

 

[phani kumar]

True.. It messed up registry and now I cannot see any other option other
than to format my system.
Its a painful task and I am not ready for it yet. Lot of things change and
one major worry is whether I lose my Vista License if do a clean re-install.
Already my Vista (Licensed version) is validated and activated. If I format
& re-install, will that be counted as second license or not??
I do use Windows Mail and I am getting "undeliverable messages" and messages
that message could not be sent due to virus.
I do continuously check for updates & I am update regarding security
patches, Service Packs and other things from Microsoft Update online
automatically.

Now that the system and network is infected, do I run the risk of losing the
data?? If yes, there is a chance that the back up I take also will contain
this virus. So its all the more important that I need to remove virus first.
Is there any standalone tool to remove this virus? How do I clean this
mess??

Already people whom I communicate say that they are getting messages with
virus from me. Its a big problem for me now.

Thanks..

 

[phani kumar]

True.. It messed up registry and now I cannot see any other option other
than to format my system.
Its a painful task and I am not ready for it yet. Lot of things change and
one major worry is whether I lose my Vista License if do a clean re-install.
Already my Vista (Licensed version) is validated and activated. If I format
& re-install, will that be counted as second license or not??
I do use Windows Mail and I am getting "undeliverable messages" and messages
that message could not be sent due to virus.
I do continuously check for updates & I am update regarding security
patches, Service Packs and other things from Microsoft Update online
automatically.

Now that the system and network is infected, do I run the risk of losing the
data?? If yes, there is a chance that the back up I take also will contain
this virus. So its all the more important that I need to remove virus first.
Is there any standalone tool to remove this virus? How do I clean this
mess??

Already people whom I communicate say that they are getting messages with
virus from me. Its a big problem for me now.

Thanks..


Sent to the public.security.virus group via crosspost

 

[Carl Farrington]

True.. It messed up registry and now I cannot see any other option other
than to format my system.

There are multiple backups of the system's registry hives, and all local
user's hives, under \System Volume Information, as long as System Restore
hasn't been disabled, so there are lots of other options than to reformat.

Its a painful task and I am not ready for it yet. Lot of things change and
one major worry is whether I lose my Vista License if do a clean
re-install. Already my Vista (Licensed version) is validated and
activated. If I format & re-install, will that be counted as second
license or not??

No, you are perfectly allowed to format and reinstall, on the same computer.

I do use Windows Mail and I am getting "undeliverable messages" and
messages that message could not be sent due to virus.
I do continuously check for updates & I am update regarding security
patches, Service Packs and other things from Microsoft Update online
automatically.

Now that the system and network is infected, do I run the risk of losing
the data?? If yes, there is a chance that the back up I take also will
contain this virus. So its all the more important that I need to remove
virus first. Is there any standalone tool to remove this virus? How do I
clean this mess??

Already people whom I communicate say that they are getting messages with
virus from me. Its a big problem for me now.

Thanks..

Sounds like you need to call a PC Doctor

 

[Malke]

True.. It messed up registry and now I cannot see any other option other
than to format my system.
Its a painful task and I am not ready for it yet. Lot of things change
and one major worry is whether I lose my Vista License if do a clean
re-install. Already my Vista (Licensed version) is validated and
activated. If I format & re-install, will that be counted as second
license or not??
I do use Windows Mail and I am getting "undeliverable messages" and
messages that message could not be sent due to virus.
I do continuously check for updates & I am update regarding security
patches, Service Packs and other things from Microsoft Update online
automatically.

Now that the system and network is infected, do I run the risk of losing
the data?? If yes, there is a chance that the back up I take also will
contain this virus. So its all the more important that I need to remove
virus first. Is there any standalone tool to remove this virus? How do I
clean this mess??

Already people whom I communicate say that they are getting messages
with virus from me. Its a big problem for me now.

Of course you run the risk of losing data. When this is over, create and
implement a good backup strategy.

Disconnect all machines from the network and clean each one up. You can
retrieve the data first with a Linux distro running from a live CD (see
below). Then go through the malware removal steps systematically on each
machine. Do not connect any of the machines to the network until you are
100% sure they are all clean. If you can't do any of this - and there is
no shame in admitting this isn't your cup of tea since we all have our
areas of expertise - have a local computer professional come on-site and
fix you up properly. This will not be someone from a
BigComputerStore/GeekSquad type of place. Get recommendations from
friends and colleagues. Do not wait to disconnect the machines from the
network - do it now! Get all necessary tools, rescue systems, etc. from
a different and known-clean machine that was not ever connected to your
network.

A. Data retrieval

Boot the target computer with either a Bart's PE or a Linux live cd such
as Knoppix and retrieve the data that way. Here is general information
on using Knoppix for this:

You will need a computer with two cd drives, one of which is a cd/dvd-rw
OR a usb thumb drive with enough capacity to hold your data OR an
external usb/firewire hard drive formatted FAT32 (not NTFS). To get
Knoppix, you need a computer with a fast Internet connection and
third-party burning software. Download the Knoppix .iso and create your
bootable cd. Then boot with it and it will be able to see the Windows
files. If you are using the usb thumb drive or the external hard drive,
right-click on its icon (on the Desktop) to get its properties and
uncheck the box that says "Read Only". Then click on it to open it. Note
that the default mouse action in the window manager used by Knoppix
(KDE) is a single click to open instead of the traditional MS Windows'
double-click. Otherwise, use the K3b burning program to burn the files
to cd/dvd-r's.

http://www.knoppix.net
http://www.nu2.nu/pebuilder/ - Bart's PE Builder

B. Malware removal

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Include scanning with David Lipman's Multi_AV and follow instructions to
do all scans in Safe Mode. Please see the special Notes regarding using
Multi_AV in Vista.

http://www.elephantboycomputers.com/page2.html#Multi-AV - instructions
http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html
- download site

The site is in German but David's tool is in English so don't let that
worry you. Scroll all the way down to almost the bottom of the page and
you'll see a box titled "Infos Zum Download - Multi-AV Scanning Tool".
You'll see "Download von www pctipp.ch" and the live link to download
Multi_AV.

You can also check to see if there are targeted removal steps for your
malware here:
Bleeping Computer removal how-to's -
http://www.bleepingcomputer.com/forums/forum55.html

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the first link above (not here, please).

Not all tools used will work in Vista and you will need to run them
elevated. Since Vista is so new, it will be a while before removal
techniques and tools are developed. If you are unable to remove the
infection by following the general steps, register at one of the
HijackThis forums as suggested.

The only alternative to going through the malware removal tediously and
systematically, possibly with online help from an HJT forum, and having
the machines handled by a real professional is to back up your data and
do a clean install of Windows. It's your call.


Malke

 

[dennis@home]

True.. It messed up registry and now I cannot see any other option other
than to format my system.
Its a painful task and I am not ready for it yet. Lot of things change and
one major worry is whether I lose my Vista License if do a clean
re-install. Already my Vista (Licensed version) is validated and
activated. If I format & re-install, will that be counted as second
license or not??
I do use Windows Mail and I am getting "undeliverable messages" and
messages that message could not be sent due to virus.
I do continuously check for updates & I am update regarding security
patches, Service Packs and other things from Microsoft Update online
automatically.

Now that the system and network is infected, do I run the risk of losing
the data?? If yes, there is a chance that the back up I take also will
contain this virus. So its all the more important that I need to remove
virus first. Is there any standalone tool to remove this virus? How do I
clean this mess??

Already people whom I communicate say that they are getting messages with
virus from me. Its a big problem for me now.

Thanks..

I would put the disk in an external USB box.
Get another machine with up to date AV software (say the trial of
kaspersky).
Disable auto run (which is probably a good idea anyway).
Connect the disk.
Do not run any programs on that disk.
Run the AV on the disk, full scan using full database.
Copy your data.

Then you can put the disk back and roll it back or reformat it if needed.

HTH.

 

[phani kumar]

I guess I need to format the system n do a clean install.

Cannot scan in any mode, safe mode, safe mode command prompt etc.

All the folder options, registry editing, cmd window are gone. Cannot update
my virus definition files. Any anti virus Web site wont open & if open, will
be closed automatically. New anti-virus installation wont succeed as it will
be closed by the virus. On line scanning wont help as the window will be
closed. Task manager is disabled, cmd line scanning doesnt work as cmd
prompt will be closed automatically.

I see no other option but to reinstall.

I dont know why the Sohanad-O virus is listed as low risk on most anti-virus
web sites. It's causing a havoc on my network.

Avast anti-virus did not detect the virus before infection nor could delete
after. Seems useless for me.