Special Sponsor

Sunday, August 5, 2007

Worm W32.Imaut.AS

W32.imaut.as is a worm that infected Yahoo! Instant messenger and sending message by using yahoo messenger contact to multiply itself. It affected Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP.
The worm spreads by sending messages to all online Yahoo! Instant Messenger contacts. The text of the message will be one of the following:


* http: //dungcoivb.googlepages.com/FUN
* Olalala, may tinh cua ban da dinh Worm DungCoi...........


The worm create following files when it executes:

*Delete the following files
  1. C:\PNga.txt
  2. %Windir%\Help\Other.exe
  3. %Windir%\inf\Other.exe
  4. %Windir%\system\Fun.exe
  5. %System%\config\Win.exe
  6. %System%\WinSit.exe
  7. %Windir%\dc.exe
  8. %Windir%\SVIQ.EXE
  9. %System%\NWB.dat
  10. (drive letter):\temp\temp.exe


Removal
  1. Update virus definition
  2. Turn off windows system restore
  3. Run a full scan or deep scan
  4. Delete / disinfect the infected files


Navigate and delete the registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"dc2k5" = "C:\WINDOWS\SVIQ.EXE"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Fun" = "C:\WINDOWS\system\Fun.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"dc" = "C:\WINDOWS\dc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"run" = "C:\WINDOWS\system32\config\Win.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe C:\WINDOWS\system32\WinSit.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "C:\WINDOWS\inf\Other.exe"




1 comment:

Anonymous said...

Protect and clean your PC.
When searching for an antispyware scanner that will protect and clean your PC it can get a little confusing. There are so many available it’s hard to know which one will work the best. If you’re like me, you’ve probably tried a variety of them all and found they basically all find the same types of bugs. Through my experimenting I’ve found that the antispyware solution from Search-and-destroy at (http://www.Search-and-destroy.com) works the best. Search-and-destroy Antispyware cleans and protects my computer just as good as any scanner, it gets rid of those nasty bugs and it does it all for less than many of the others available.