1. /
  2. Security Response/
  3. W32.Imaut

W32.Imaut

Risk Level 1: Very Low

Discovered:
September 18, 2006
Updated:
September 19, 2006 8:53:35 AM
Also Known As:
W32.Yautoit [Symantec]
Infection Length:
Varies
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Once executed, the worm downloads a file from the following location: [http://]www.sukien.org/tamdiep/Download/A9.[REMOVED]

The worm then saves the downloaded file as the following file: %Windir%\taskmng.exe The worm creates the following registry entry so that it runs every time Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Task Manager" = "%Windir%\taskmng.exe"

The worm then modifies the following registry entry to disable the manual modification of the Internet Explorer home page: HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"Homepage" = "1"

  • The worm also modifies the following registry entries to disable the Task Manager and the Registry Editor: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"


The worm then modifies the following registry entry to change the Internet Explorer home Page: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "[http://]www.sukien.org"

The worm modifies the following registry entries to change the settings of Yahoo! Instant Messenger:
  • HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz\"content url" = "[http://]www.sukien.org"
  • HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast\"content url" = "[http://]www.sukien.org"

The worm modifies the following registry entry to change the title of the Internet Explorer: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window Title" = "[http://]www.sukien.org/lo[REMOVED] :: Another Version of [http://]www.sukien.org/lo[REMOVED] :: Chut gi de nho..."

Next, the worm sends the following messages through Yahoo! Instant Messenger:
  • Vui gi ma vui the! Dau ca bung roi ne... [http://]www.sukien.org/lo[REMOVED]
  • Trui, ngo nghinh qua a... Vo coi thu nao [http://]www.sukien.org/lo[REMOVED]
  • Vui kinh khung! Ghe qua day ti xiu nha ban [http://]www.sukien.org/lo[REMOVED]
  • Chao mung cac ban den voi Dao Khuc Community [http://]www.sukien.org/lo[REMOVED]
  • Moi phat hien ra cai nay ne, cuc hay luon nha [http://]www.sukien.org/lo[REMOVED]
  • Kinh di qua di mat... Toan la ma trong nay ne [http://]www.sukien.org/lo[REMOVED]
  • Gom gi ma gom the... Vao day ma xem gom co nao [http://]www.sukien.org/lo[REMOVED]
  • Cai gi the nhi? Thang ban moi quang cao cai nay [http://]www.sukien.org/lo[REMOVED]
  • Bo oi! Co biet gi chua ha? Cai nay hay lam a nha [http://]www.sukien.org/lo[REMOVED]
  • Hey! Dang lam gi vay? Bo ti thoi gian vao day nha [http://]www.sukien.org/lo[REMOVED]
Writeup By: Hatsuho Honda
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver