Malware type: Worm

Aliases: IM-Worm.Win32.Sohanad.f (Kaspersky), Generic.dw (McAfee), W32.Imaut (Symantec), TR/Crypt.CFI.Gen (Avira), Troj/Agent-ENI (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This worm propagates via the instant messaging application Yahoo! Messenger. It sends an instant message to all contacts of the affected user. The said instant message contains a link that when accessed, downloads a copy of itself.

Its dropped copy uses the file name YAHOO.EXE to avoid easy detection.

It disables the Windows Task Manager and Registry Editor by modifying related registry entries. The said action adds complexity to this worm's detection and removal from an affected system.

It also modifies the Internet Explorer home page to point to a malicious URL, which may contain malicious files that may automatically be downloaded on the affected system. It also modifies certain Yahoo! Messenger settings that are related to content. The said action allows this worm to download possibly malicious files from the malicious URL.

It changes the title bar of Internet Explorer. It does the said routine to reflect the malicious URL.

For additional information about this threat, see:
Solution
Technical Details

Description created: Oct. 4, 2006 5:56:40 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.