Sophos

W32/Impard-A

Aliases
  • Backdoor.Win32.Agent.aox
  • Win32/Agent.AOX
  • trojan
  • BKDR_AGENT.ATN
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Chat programs
  • Peer-to-peer
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 23 June 2007 04:29:36 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Impard-A is a worm for the Windows platform with IRC backdoor functionality.

W32/Impard-A may be instructed to send messages and files via MSN and AIM. In particular W32/Impard-A may send one of the following messages (determined by the language of the infected computer) and a file called myphoto.zip containing a copy of itself called IMG009.jpg-www.imagehosting.com:

  hey check out this photo, dunno if i should add to my alb, lemme send to you
  wanna see this pic of me? :D sec
  hey wanna see this pic of me?
  just took a new pic of me, lemme
  hahaha check out this pic ull die
  he regard a ma nouvelle image :D
  voulez-vous voir une nouvelle image de moi?
  j'ai recemment trouve une vieille image de moi, je la trouverai et l'enverrai :D
  ca va, regard a la nouvelle photo que j
  Blick auf das neue foto, das ich
  he wie geht es Ihnen? meine neue
  ich ein fotoalbum, sollte bilde ich dieses addieren?
  hallo, diese Akte, es annehmen ist fur mein fotoalbum
  hola como eres? comprobar si tienes gusto de mi nuevo cuadro :D
  yo has estado juntando un album de foto, tienes gusto de este cuadro?
  como eres que hace, comprobar hacia fuera este cuadro de mi :D
  Haha.. comprobar hacia fuera mi nuevo cuadro
  a verificacao para fora este retrato que novo eu fiz exame apenas, mim emitir-lheo-a
  como meu retrato novo? :D
  mim tenho feito meu album de foto, devo eu adicionar este retrato?
  se voce nao for ocupado, verificar para fora este retrato novo :D
  hahaha olhar este retrato novo de mim
  guardare la mia nuova immagine haha
  lo pensate dovreste aggiungere questa immagine al mio album di foto?
  ciao desiderare vedermi un'immagine?
  come siete, guardare questa nuova immagine di me

W32/Impard-A may also be instructed to seed itself via Bittorrent.

W32/Impard-A copies itself to the file C:\RECYCLER\msnservice.exe and sets the following registry entry to run itself on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN Services
C:\RECYCLER\msnservice.exe

W32/Impard-A attempts to modify firewall settings to allow it to access the internet.

W32/Impard-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Impard-A may attempt to search the infected computer for evidence of other bots and, if it finds any, will attempt to terminate them, send them to its own remote controller, and then delete them.

W32/Impard-A drops and executes a number of clean files to C:\<8 random characters>.bat in order to perform some of its functionality.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer