Win32.Worm.IMStealer.A
SYMPTOMS: the presence of files and registry key from tehnical descripionIncreased processor and network activity TECHNICAL DESCRIPTION: This worm will try to spread through following IM programs: Skype, Yahoo! Messenger, Windows Live Messenger, AIM, ICQ. In order to accomplish this job, it will search opened windows of the above mentioned programs and once found it will search for some zones of interest (input boxes,lists,subwindows), it will retreive data (users) from there and will send itself to those users, synthesizing keyboard and mouse inputs.When executed it will make a copy of itself in %Temp%\vshost32.exe and register this copy to startup:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Userinit = %System%\userinit.exe,%Temp%\vshost32.exe Also as a spread routine, it will create an autorun.inf file pointing to a hidden copy of the worm on each partition, network mapped drive, removable storage drives. It will try to access a php script using the paramesters "12345" and "USA" from the following locations: win.studyingcenter-org.com, ns.dunno-net.com, fubar.cheapsocks.cn; unavailable at the moment of description. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Ovidiu Visoiu, virus researcher |
