Print | Send on Yahoo! | PDF version | RSS | Filed Under: WEEKLY REVIEW

Win32.Worm.IM.J – the Worm Crawling the IM Network

Instant messaging services are once again targeted by malware authors!

Called Win32.Worm.IM.J, this malicious code spreads via links sent as instant messages on Yahoo! ® Messenger on behalf of infected users. The message uses social engineering tricks in order to make people believe they are in a very delicate situation and action should be taken immediately, especially since the embedded link ends with the Yahoo!® Messenger username of the victim.

The infected messages display two questions asking the victim whether  he / she has pictures or a profile on a compromising site; a link towards the alleged site is, of course, provided after the informative note.

Once the users access the randomly-provided link, they are redirected towards fake Web page containing some ads and a blank space where the alleged photos should have been. A spoofed active content bar (that is not displayed under the hyperlink, but under the first row of ads) advises the victim to install Adobe Shockwave Player in order to be able to watch the pictures.

Upon execution, the downloaded setup file installs the following four files, amongst which the first one is the infamous Worm.Agent.AJ, while the rest are not malicious:

%SystemRoot%\system32\[random 4 - 8 letter string].exe
%SystemRoot%\system32\YahooAuth2.dll
%SystemRoot%\system32\libeay32.dll
%SystemRoot%\system32\ssleay32.dll

In order for the worm to start at every boot, it adds the following key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe , C:\WINDOWS\system32\[random 4 - 8 letter string].exe" to the Windows Registry. It would subsequently create two other files in %SystemRoot%\ and %SystemRoot%\system32\, respectively.

The worm would remove the locally-stored credentials from the infected computer in order to force the user to re-type them. The log-in information will be stored in Windows Registry under the key HKEY_LOCAL_MACHINE\SOFTWARE\first and would use them to stealthily authenticate and send these infected links to the victim's contact list.

Last, but not least, the worm also features a downloader component that would install additional malware on the infected system.

Win32.Worm.IM.J is built with Borland Delphi® and seems to have its roots in Romania, since the messages it sends are written in Romanian: "cine ti-a pus pozele aici?"(who posted your pictures here?) and "tu ti-ai facut profilu asta?"(was it you who created a profile here?).

In order to avoid infections, we recommend that you install and regularly update a complete antimalware suite with antivirus, antispam, antiphishing and firewall modules.