Home / malware Win32.Worm.IMStealer.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Worm.IMStealer.A.
Explanation :
This worm will try to spread through following IM programs: Skype, Yahoo! Messenger, Windows Live Messenger, AIM, ICQ. In order to accomplish this job, it will search opened windows of the above mentioned programs and once found it will search for some zones of interest (input boxes,lists,subwindows), it will retreive data (users) from there and will send itself to those users, synthesizing keyboard and mouse inputs.
When executed it will make a copy of itself in %Temp%vshost32.exe and register this copy to startup:
[HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon]
Userinit = %System%userinit.exe,%Temp%vshost32.exe
Also as a spread routine, it will create an autorun.inf file pointing to a hidden copy of the worm on each partition, network mapped drive, removable storage drives.
It will try to access a php script using the paramesters "12345" and "USA" from the following locations:
win.studyingcenter-org.com, ns.dunno-net.com, fubar.cheapsocks.cn; unavailable at the moment of description.Last update 21 November 2011