Virus Alert! W32.Allim.A@mm - Printable Version

-Shoutbox (
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: Virus Alert! W32.Allim.A@mm (/showthread.php?tid=43708)

Virus Alert! W32.Allim.A@mm by Dane on 04-27-2005 at 02:09 AM

Users of Messenger Plus! Zone Outbreak Alert will receive this alert via there system tray with in 1 hour.

This virus spreads through AOL instant messenger and is similar to the one I got for MSN Messenger.  I thought i'd post it here though so that everyone was aware of it.

Originally posted by Symantec

When W32.Allim.A is executed, it performs the following actions:

Sends the following message to all the AIM contacts on the compromised computer:

Body: hey check out this!

Where "this!" is a link to the URL: http:/ /adw[domain removed]
A recipient must click on the link "this!", download the file [email address], and then execute the file.
The file is downloaded as [email address] (the default email address as set in Internet Explorer) and is a variant of W32.Spybot.Worm.

Copies the W32.Spybot.Worm variant as %System%\winimsg.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Adds the value:

"Windows iMessenger Messenger" = "winimsg.exe"

to the registry subkeys:


so that the W32.Spybot.Worm variant runs every time Windows starts.

Modifies the values:

"DisableRegistryTools" = "0x31"
"DisableTaskMgr" = "0x31"

in the registry subkey:


so that the registry editing tools and task manager are disabled.

The W32.Spybot.Worm variant can perform any of the following actions:

Open a back door on the compromised computer allowing a remote attacker to have unauthorized access.
Attempt to terminate processes and services.
Use the compromised computer as a traffic relay or proxy.

RE: Virus Alert! W32.Allim.A@mm by prashker on 04-27-2005 at 02:44 AM

thanks for the info!!