W32.Imaut.A

Printer Friendly Page

Discovered: October 03, 2006
Updated: October 03, 2006 7:23:29 PM
Also Known As: W32/Sohana-A [Sophos]
Systems Affected: Windows

W32.Imaut.A is a worm that spreads via Yahoo! Instant Messenger and Microsoft Windows Live Messenger. The worm may attempt to download remote files on the compromised computer and disable Windows Task Manager and Registry tools.

Antivirus Protection Dates

  • Initial Rapid Release version October 04, 2006
  • Latest Rapid Release version August 17, 2019 revision 019
  • Initial Daily Certified version October 04, 2006
  • Latest Daily Certified version August 15, 2019 revision 002
  • Initial Weekly Certified release date October 04, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.


Technical Description

W32.Imaut.A is a worm that spreads via Yahoo! Instant Messenger and Microsoft Windows Live Messenger. The worm may attempt to download remote files on the compromised computer and disable Windows Task Manager and Registry tools.

Onec executed, the threat copies itself as the following file:
%Windir%\svhost32.exe

The Trojan creates the following registry subkey so that it runs everytime the machine starts.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Task Manager" = "%Windir%\svhost32.exe"

It may download a new version of itself from the following URL:
http://64.141.110.32/enet.exe

Next, it attempts to terminate the following Antivirus processes, if present:
Bkav2006.exe
IEProt.exe
bdss.exe
vsserv.exe

It hijacks browser navigation if the title of Internet Explorer window is the following string:
"Mesothelioma, Asbestosis & Lung Cancer Information - Microsoft Internet Explorer"

The Trojan creates the following registry subkeys to disable some Windows features:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"Homepage" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"

It creates the following registry subkeys to set a new homepage for Internet Explorer an Yahoo Messenger:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://concerto4.net"
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz\"content url" = "http://concerto4.net"
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast\"content url" = "http://concerto4.net"

It spreads using IM programs including Yahoo Messenger, Windows Live Messenger and AOL IM.

The Trojan spreads through the IM programs by injecting one of the following text messages followed by a malicious URL into the chat windows :
have you ever seen such a silly man like this? [LINK]
making money online never be easier : [LINK]
damn, she is so cute [LINK]
to only way to clean some online viruses that may lead you into troubles : [LINK]
Now you can avoid some critical online viruses by updating Windows. Click here to know how to Update Windows : [LINK]
A new dangerous computer virus that can destroys all your data has just been released. Click here to know how to avoid it : [LINK]
Download free MP3s : [LINK]
Just check out my new personal website : [LINK]
You are virus infected . Use this tool to remove viruses from your PC : [LINK]
wtf is this? wanna give me a shit ? [LINK]
Let's vote for Vietnam's beauty - Mai Phuong Thuy - for the upcoming Miss World competition : [LINK]
check this link for me : [LINK]

Where [LINK] can be:
http://concerto4.net/?id=[RANDOM_TEXT]