My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.IMStealer.A

MEDIUM
LOW
75KB

Symptoms

the presence of files and registry key from tehnical descripion
Increased processor and network activity

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

This worm will try to spread through following IM programs: Skype, Yahoo! Messenger, Windows Live Messenger, AIM, ICQ. In order to accomplish this job, it will search opened windows of the above mentioned programs and once found it will search for some zones of interest (input boxes,lists,subwindows), it will retreive data (users) from there and will send itself to those users, synthesizing keyboard and mouse inputs.
When executed it will make a copy of itself in %Temp%\vshost32.exe and register this copy to startup:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit = %System%\userinit.exe
,%Temp%\vshost32.exe
Also as a spread routine, it will create an autorun.inf file pointing to a hidden copy of the worm on each partition, network mapped drive, removable storage drives.
It will try to access a php script using the paramesters "12345" and "USA" from the following locations:
win.studyingcenter-org.com, ns.dunno-net.com, fubar.cheapsocks.cn; unavailable at the moment of description.