Sohanad variants removal

Forak · 06-27-2008, 12:05 PM

Hi Everyone

I work in a medium sized company consisting of a network of 15 computers which is not protected by an av. We have been constantly at war with Sohanad worm/virus and each time we run kaspersky for removal. Now I believe that Kaspersky av is one of the best av nowadays but i can't understand that while the removal is accomplished but the registry fixes have to be achieved manually. Why is that?

Plus could anyone list the removal instructions for this infection i.e the registry fixes. This particular variant was identified by kaspersky as Win32.AutoIt.aa

Thanks

tetonbob · 06-28-2008, 08:32 AM

Seems to me that you need to get protection on each of those workstations. An Enterprise edition of Kaspersky (or other) would help your situation immensely.

Sohanad is an autoruns infection, which tries to install itself to all removable drives. If your users are inserting flash drives from machine to machine, they may just be reinfecting. You can run Flash_Disinfector to help prevent that, but with 15 workstations and no protection installed on them individually, you have your work cut out for you.

There are several variants, so it's not so cut and dried as to what registry items to look for.

Here is some info on the variant you've described:

http://www.threatexpert.com/report.a...7-0bf0f8e04c94

http://www.threatexpert.com/report.a...0-b73047656c07

06-27-2008, 12:05 PM	#1 (permalink)
Forak Registered User Join Date: Jun 2008 Posts: 2 OS: Win Xp Professional	Sohanad variants removal Hi Everyone I work in a medium sized company consisting of a network of 15 computers which is not protected by an av. We have been constantly at war with Sohanad worm/virus and each time we run kaspersky for removal. Now I believe that Kaspersky av is one of the best av nowadays but i can't understand that while the removal is accomplished but the registry fixes have to be achieved manually. Why is that? Plus could anyone list the removal instructions for this infection i.e the registry fixes. This particular variant was identified by kaspersky as Win32.AutoIt.aa Thanks

06-28-2008, 08:32 AM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 25,395 OS: 2000 Pro; XP Pro; XP Home	Re: Sohanad variants removal Seems to me that you need to get protection on each of those workstations. An Enterprise edition of Kaspersky (or other) would help your situation immensely. Sohanad is an autoruns infection, which tries to install itself to all removable drives. If your users are inserting flash drives from machine to machine, they may just be reinfecting. You can run Flash_Disinfector to help prevent that, but with 15 workstations and no protection installed on them individually, you have your work cut out for you. There are several variants, so it's not so cut and dried as to what registry items to look for. Here is some info on the variant you've described: http://www.threatexpert.com/report.a...7-0bf0f8e04c94 http://www.threatexpert.com/report.a...0-b73047656c07 __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Our help is voluntary, but this site needs donations to operate. Please consider Donating to the Forum. Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.