The Imaut.B worm attacks with renewed vigor

A few days after the release of the first variant of the Imaut worm, which spreads through instant messengers, a newer version appeared that also used some new techniques to infect computers.

The Imaut.B worm, like its first variant, is primarily used by Yahoo! Messenger, AIM, Windows Live Messenger, and Windows Messenger try to infect as many computers as possible. It sends messages that also contain a link to a malicious website. If the user clicks on such a link, the worm is immediately downloaded to their computer. It then creates a number of entries in the registration database and then begins redirecting web pages. The worm also constantly monitors the windows of My Computer and Explorer. Imaut.B eventually makes the Windows Task Manager and the registry inaccessible.

When the Imaut.B worm starts, it performs the following actions:

1. Create the following file:
% System% \ svchost32.exe

2. Download a file from the Internet and save it to the Windows System directory as svhost.exe.

3. The registration database
HKEY_CURRENT_USER \ Software \ Policies \ Microsoft \ Internet Explorer \ Control Panel
adds to your key
“Homepage” = value “1”.

4. The registration database
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Policies \ System
adds to your key
“DisableTaskMgr” = “1”
“DisableRegistryTools” = “1” values.

5. The registration database
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Main
adds to your key
“Start Page” = “[http://]tintucso.com/lu[…]” value.

6. The registration database
HKEY_CURRENT_USER \ Software \ Yahoo \ pager \ View \ YMSGR_buzz
adds to your key
“content url” = “[http://]tintucso.com/lu[…]” value.

7. The registration database
HKEY_CURRENT_USER \ Software \ Yahoo \ pager \ View \ YMSGR_Laun chcast
adds to your key
“content url” = “[http://]tintucso.com/lu[…]” value.

8. The registration database
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentV ersion \ Run
adds to your key
“Task Manager” = “%System%\svchost32.exe”
“SVCHOST” = “%System%\svhost.exe” values.

9. Stops the following processes (if they are running)
Bkav2006.exe
IEProt.exe
svhost32.exe
svchost32.exe
bdss.exe
vsserv.exe

10. It constantly monitors windows that have one of the following texts in their title bar:
My Computer
Windows Explorer

11. Yahoo! It tries to spread through Messenger, AIM, Windows Live Messenger, and Windows Messenger.

12. Makes Windows Task Manager and Registry Editor unavailable.