W32.Blastclan


Aliases: WORM_SOHANAD.EJ, W32/SillyFDC-AE, IM-Worm.Win32.Sohanad.as, Worm:Win32/Autorun.FJ, W32/Sality.ad
Variants: Worm:Win32/Sohanad.I, Worm.Nuqel.H, Win32.Alman.B, W32/Mabezat-B, Virus:Win32/Delicium.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Europe, Asia, Africa
Removal: Easy
Platform: W32
Discovered: 13 Sep 2007
Damage: Low

Characteristics: Belonging to a class of malware considered as network aware, the W32.Blastclan program can spread its codes by using weakly protected network shares. Its routine allows it to copy an instance of itself to all network shares found in the infected computer system.

More details about W32.Blastclan

This family of Worms has been known to attack the System folder as well as the Windows directory of the compromised computer system to install its file segments. The W32.Blastclan program has been closely associated with the presence of the autorun.ini, blastclnnn.exe, scvhosts.exe, At1.job, and hinhem.scr files which are believed to be extracted during the initial execution of this threat. Almost all of these files can be found in the aforementioned locations with the exception of the At1.job which is placed in the Tasks folder of the Windows directory. This Worm reportedly hooks certain Windows Registry keys which will allow it to automatically load during every startup or boot up process of the infected machine.

This program also tampers with the registry key associated to the Yahoo! Messenger client allowing it to execute when the application is launched by the unwary computer user. The W32.Blastclan program will proceed by attempting to use the active Internet connection to download the file settings.doc from predetermined websites. This document is a configuration file which contains additional commands that will allow the Worm to initiate more malicious actions in the infected computer system. The file new folder.exe is used by the W32.Blastclan Worm to execute in various network shares found in the machine. An accompanying autorun.inf file is also installed to allow the Worm to mimic a shared network drive. When it successfully tricks the computer user into thinking that it is a network drive, it will begin to deliver its payload once it is accessed.