Aliases: I-Worm.Welyah.a, W32/Shoho.gen@MM, Win32.HLLM.Shoho, W32/Shoho-Fam, Win32/Shoho.R@mm
Variants: WORM_SHOHO.C, Worm/WelYah, W32/Welyah.L@mm, Win32:Shoho, I-Worm/Shoho

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 20 Dec 2001
Damage: Low

Characteristics: The W32.Shoho@MM program is a mass-mailing worm that is written in the Visual Basic language. This worm also utilizes the IFRAME vulnerability that enables Microsoft Outlook to open the attachment automatically.

More details about W32.Shoho@mm

When the W32.Shoho@mm program is opened, it duplicates itself to the WindowsSystem and Windows folder as “Winl0g0n.exe”. Just for an additional information, the filename has (0) zeros, not the letter “O”. The worm then adds the value “. It then adds the value “WINL0G0N C:windowsWINL0G0N.EXE” to the registry key. This will cause the W32.Shoho@mm program to be opened every time you open windows. The W32.Shoho@mm program then makes the file “Email.txt” in the similar folder as the worm. The Mime Base64 encoded version of the worm is “Email.txt”. The worm virus will utilize this file to send itself. The W32.Shoho@mm program also makes the file “Emailinfo.txt” in the similar location. This file is utilized to save email addresses that the W32.Shoho@mm program finds on your PC.

The W32.Shoho@mm searches your PC for email addresses in files that have “.mbx”, “.wab”, “.mbx”, “.eml”, “.xlt”, “.xls”, and “.mdb” extensions, and puts them to the “Emailinfo.txt” file. It then utilizes its SMTP engine to spread itself to those email addresses. The W32.Shoho@mm program has these features: Subject “Welcome to Yahoo Mail!, Attachment “Readme.txt.pif”. Take note that there could be a lot of blank spaces between “.pif” and “.txt” file extensions. This is made to trick you into believing that the W32.Shoho@mm program is just a .txt file, when it’s actually an executable .pif file. The W32.Shoho@mm program utilizes the IFRAME that enables MS Outlook open the attachment automatically.