So new… So-hanad

Just a while ago I’ve received a message from my friend through Yahoo Messenger and it seems familiar and suspicious. Then, after a few minutes another message popped in and it’s pretty like the same as the latter.


I investigated the urls being advertised and came up with the following redirections.



  1. http://{blocked}.info/who.jpg
  2. http://{blocked}.info/friendpic1.jpg
  3. http://{blocked}.com/Gallery/albums/album/index.php
  4. http://{blocked}.com/Gallery/albums/album/index2.php
  5. http://{blocked}.com/Gallery/albums/album/YMworm.exe
  6. http://{blocked}.com/Gallery/albums/album/worm2007.exe

So, from the first two urls being advertised on YM, I was redirected to the third url which then redirects to the fourth url and downloads and executes the fifth and last urls.


You might have noticed that the first two urls end with .jpg and might seem to be just image files but, these are actually folders on the server that when accessed will be resolved to http://{blocked}.info/who.jpg/index.html and http://{blocked}.info/friendpic1.jpg/index.html which contain the actual html redirection codes. I also tried to access the parent directory of the url (http://{blocked}.info) which then resolves to http://{blocked}.info/index.html and found out that it has the same redirection code as the first two urls. The domain was just registered on January 1, 2007!


A quick look on the source code of the fourth url, is a bit obfuscated javascript that when cleaned contains MS06-014 exploit codes and downloads and executes YMworm.exe and worm2007.exe as its payload. So, if your system is well patched, you cannot get these two files on your system and no infection at all!


The downloaded files were poorly detected by a lot of AV vendors and even their Heuristics failed which just shows that these binary samples are really fresh from the author.


All the involved urls were sent to our Web Blocking Team and the samples were given the detection names as shown below.



  • index2.php – HTML_SOHANAD.AL
  • YMworm.exe – WORM_SOHANAD.AL
  • worm2007.exe – WORM_SOHANAD.AG

No related posts.