login | register | shoutbox

 What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Tech Talk » Virus Alert! W32.Allim.A@mm

Virus Alert! W32.Allim.A@mm
Author: Message:
Dane
Non-Elite Member
*****

Avatar
Dont ask to ask, just ASK!

Posts: 1621
Reputation: 52
35 / Male / Flag
Joined: Dec 2002
Status: Away
O.P. Grin  Virus Alert! W32.Allim.A@mm
Users of Messenger Plus! Zone Outbreak Alert will receive this alert via there system tray with in 1 hour.

This virus spreads through AOL instant messenger and is similar to the one I got for MSN Messenger.  I thought i'd post it here though so that everyone was aware of it.

quote:
Originally posted by Symantec

When W32.Allim.A is executed, it performs the following actions:

Sends the following message to all the AIM contacts on the compromised computer:

Body: hey check out this!


Notes:
Where "this!" is a link to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php
A recipient must click on the link "this!", download the file [email address], and then execute the file.
The file is downloaded as [email address] (the default email address as set in Internet Explorer) and is a variant of W32.Spybot.Worm.


Copies the W32.Spybot.Worm variant as %System%\winimsg.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Adds the value:

"Windows iMessenger Messenger" = "winimsg.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

so that the W32.Spybot.Worm variant runs every time Windows starts.


Modifies the values:

"DisableRegistryTools" = "0x31"
"DisableTaskMgr" = "0x31"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

so that the registry editing tools and task manager are disabled.


The W32.Spybot.Worm variant can perform any of the following actions:


Open a back door on the compromised computer allowing a remote attacker to have unauthorized access.
Attempt to terminate processes and services.
Use the compromised computer as a traffic relay or proxy.
04-27-2005 02:09 AM
Profile PM Web Find Quote Report
« Next Oldest Return to Top Next Newest »

Messages In This Thread
Virus Alert! W32.Allim.A@mm - by Dane on 04-27-2005 at 02:09 AM
RE: Virus Alert! W32.Allim.A@mm - by prashker on 04-27-2005 at 02:44 AM


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts 		HTML is Off
myCode is On
Smilies are On
[img] Code is On