Information about the W32/Sohanad.B Worm:

W32/Sohanad.B is a worm. The worm will infect Windows systems and spreads through Instant Messaging applications.
The worm arrives via the popular instant messaging applications.
Upon execution, this worm copies itself as SVHOST32.EXE or SVHOST.EXE in the Windows folder.
The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

It also creates the following registry keys to modify the settings of Yahoo! Messenger:

HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast

The worm also modifies the registry to disable Registry Editor and Task Manager. It also changes the Internet Explorer (IE) home page. This worm propagates via Yahoo! Messenger, AIM, Windows Live Messenger or Windows Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is executed on the recipients’ system.

Solution:

Enabling the Windows Task Manager and Registry Editor

This malware disables the Windows Task Manager and Registry Editor. To re-enable these tools, perform the following instructions.

1. Open Notepad. Click Start>Run, type Notepad, then press Enter.
2. Copy and paste the following:

On Error Resume Next Set shl = CreateObject(”WScript.Shell”) Set fso = CreateObject(”scripting.FileSystemObject”) shl.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools” shl.RegDelete “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr” shl.RegDelete “HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools” shl.RegDelete “HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”

3. Save this file as {any file name}.VBS.
4. Click Start>Run, type {any file name}.VBS, then press Enter.
5. Click Yes at the prompt of the message box.
6. Click Ok
Edit the Registry

For detailed instructions on how to edit registry click here..

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete any of the following entries:
* Task Manager = “%Windows%\svhost32.exe”
* Svchost = “%Windows%\svhost.exe”
(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)

Removing Added Keys and Entries from the Registry

1. Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Yahoo>pager>View
2. Still in the left panel, locate and delete the following keys:
* YMSGR_buzz
* YMSGR_Launchcast
3. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Policies>Microsoft>
Internet Explorer>Control Panel
4. In the right panel, locate and delete the following entries:
Homepage = “dword:00000001″
5. Close Registry Editor.

Resetting Internet Explorer Home Page and Search Page

This procedure restores the Internet Explorer home page and search page to the default settings.

1. Close all Internet Explorer windows.
2. Open Control Panel. Click Start>Settings>Control Panel.
3. Double-click the Internet Options icon.
4. In the Internet Properties window, click the Programs tab.
5. Click the Reset Web Setting… button.
6. Select Also reset my home page. Click Yes.
7. Click OK.

Always run your favorite anti-virus program.. have a virus free day.