Monday, August 20, 2007

Security: Sohanad and win32.VB worms still alive

Sometimes Godaddy and their affiliates, i.e. Servage, make me wonder just how effective their actions are against their own clients that abuse godaddy's ToS (Terms of Service).
One of the things that made me consider this as a blog topic is their apparent inaccessibility to shut down the main domain names. For those who don't know what's going on, the story goes like this:
- was ended, after some 6+ months of running the Sohanad.* and win32.VB.* worms
- and redirect to a new target as of yesterday, as far as I can tell: auct_photo/temp/ (deliberately put a space between, do NOT visit the website)
- The exploit used here is a VB script exploit, which is actually encoded using Javascript
- The exploit downloads YMworm.exe and worm2007.exe which can be found in the same folder the above mentioned link
- YMworm.exe is actually an AutoIt script and gives a bad name to the good folks of that project. worm2007.exe is just a "backup" program as far as I can tell. It connects to and tries to download these two programs from there, probably used when the websites, this lamer ( owner) hacked and redirects to, go down.

Final comment: They might be cheap & good in sales, but their abuse team doesn't handle reports very well.

Removal tool: Cwean antimalware package

Update: If you try a Google search for the old hacked website,, you'll notice a nice warning message ;) I sure hope they applied that in the Web Forgery system implented in Firefox

I did a google search on the IP of the new one, I found another exploit: /AutoVoLam.html (deliberate space added between) - downloads spider.exe from the same directory.

No comments: