Discovered: September 18, 2006
Updated: September 19, 2006 8:53:35 AM
Also Known As: W32.Yautoit [Symantec]
Infection Length: Varies
Systems Affected: Windows

W32.Imaut is a worm that spreads through Yahoo! Instant Messenger.

Note: Definitions before June 7, 2007 may detect this worm as W32.Yautoit.

Antivirus Protection Dates

  • Initial Rapid Release version September 19, 2006
  • Latest Rapid Release version June 18, 2018 revision 016
  • Initial Daily Certified version September 19, 2006
  • Latest Daily Certified version June 18, 2018 revision 008
  • Initial Weekly Certified release date September 20, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Hatsuho Honda

Discovered: September 18, 2006
Updated: September 19, 2006 8:53:35 AM
Also Known As: W32.Yautoit [Symantec]
Infection Length: Varies
Systems Affected: Windows

Once executed, the worm downloads a file from the following location: [http://]www.sukien.org/tamdiep/Download/A9.[REMOVED]

The worm then saves the downloaded file as the following file: %Windir%\taskmng.exe The worm creates the following registry entry so that it runs every time Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Task Manager" = "%Windir%\taskmng.exe"

The worm then modifies the following registry entry to disable the manual modification of the Internet Explorer home page: HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"Homepage" = "1"

  • The worm also modifies the following registry entries to disable the Task Manager and the Registry Editor: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"


The worm then modifies the following registry entry to change the Internet Explorer home Page: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "[http://]www.sukien.org"

The worm modifies the following registry entries to change the settings of Yahoo! Instant Messenger:
  • HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz\"content url" = "[http://]www.sukien.org"
  • HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast\"content url" = "[http://]www.sukien.org"

The worm modifies the following registry entry to change the title of the Internet Explorer: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window Title" = "[http://]www.sukien.org/lo[REMOVED] :: Another Version of [http://]www.sukien.org/lo[REMOVED] :: Chut gi de nho..."

Next, the worm sends the following messages through Yahoo! Instant Messenger:
  • Vui gi ma vui the! Dau ca bung roi ne... [http://]www.sukien.org/lo[REMOVED]
  • Trui, ngo nghinh qua a... Vo coi thu nao [http://]www.sukien.org/lo[REMOVED]
  • Vui kinh khung! Ghe qua day ti xiu nha ban [http://]www.sukien.org/lo[REMOVED]
  • Chao mung cac ban den voi Dao Khuc Community [http://]www.sukien.org/lo[REMOVED]
  • Moi phat hien ra cai nay ne, cuc hay luon nha [http://]www.sukien.org/lo[REMOVED]
  • Kinh di qua di mat... Toan la ma trong nay ne [http://]www.sukien.org/lo[REMOVED]
  • Gom gi ma gom the... Vao day ma xem gom co nao [http://]www.sukien.org/lo[REMOVED]
  • Cai gi the nhi? Thang ban moi quang cao cai nay [http://]www.sukien.org/lo[REMOVED]
  • Bo oi! Co biet gi chua ha? Cai nay hay lam a nha [http://]www.sukien.org/lo[REMOVED]
  • Hey! Dang lam gi vay? Bo ti thoi gian vao day nha [http://]www.sukien.org/lo[REMOVED]

Writeup By: Hatsuho Honda

Discovered: September 18, 2006
Updated: September 19, 2006 8:53:35 AM
Also Known As: W32.Yautoit [Symantec]
Infection Length: Varies
Systems Affected: Windows

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.



FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool


If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.


FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.


Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network



MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product


2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Hatsuho Honda