I think a new SOHANAD variant is in the wild.

I had received a suspicious message from a friend via YM. Actually I had received several messages, but it contains one link only. Unlike other SOHANAD variants, the link is not disguised as such; the link address is what is stated in the message.

So I tried looking at it, and it was a PHProxy page. But when I viewed its source, it was just just a frameset with two frames, both SRCs are located OUTSIDE the Web site itself. One points to a Vietnamese-like Web site (with a Vietnamese-sounding URL), and another from a Yahoo!-hosted page (no longer available at the moment).

So viewing the Vietnamese-sounding Web site and its source, I am convinced it is a SOHANAD worm. The source contains a VBScript typical of SOHANAD carriers that exploits MS06-014.

Basically what it does is to download a file from the Vietnamese-sounding Web site, save it on your computer, and using the exploit to execute the downloaded file. Voila!

So far, here are the messages that I had received:

Beauty KIDs… http://cso[BLOCKED]2.net
For iTunes hacker, the freedom of the open code … http://cso[BLOCKED]2.net
How Windows XP Wasted $25 Billion of Energy… http://cso[BLOCKED]2.net
Oh my GOD #… http://cso[BLOCKED]2.net

The file to be downloaded is named VNN.EXE.

YM users are advised to be careful when handling links sent via IM, even if it came from your friends. BTW, FireFox users can view the page safely, as it ignores VBScript.