high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 15 September 2005 13:16:52 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Yimp-A is an Instant Messaging worm for the Windows platform.
W32/Yimp-A can spread via the Yahoo and AOL Instant Messenger IM clients.
W32/Yimp-A will send one of the following messages to the user's contacts, with
a link to an executable file:
wow! me and my friends just got on my new webcam! come watch us:
wow.. is this you?
found your picture! is this you?
haha, this girl got busted so bad..
lmao i cant stop laughing at this!
omg... this doesn't look right at all!!
this girl is crazy! go look at here
you have to take a look at this, tell me if you can open it
hey, you have to try this out... [link] - removes all the spyware and viruses
check this out: [link] - it's live and free
omg... i think i just found a pic of you, let me know
When first run W32/Yimp-A copies itself to <System>\0penGLD.exe.
W32/Yimp-A may download and run a file from a remote server.
The following registry entries are created to run 0penGLD.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
OpenGL Drivers
<System>\0penGLD.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
OpenGL Drivers
<System>\0penGLD.exe
W32/Yimp-A also modifies an infected computer's Hosts file, setting it to the following:
127.0.2.5 www.symantec.com
127.0.2.5 symantec.com
127.0.2.5 securityresponse.symantec.com
127.0.2.5 sarc.com
127.0.2.5 www.sarc.com
127.0.2.5 www.sophos.com
127.0.2.5 sophos.com
127.0.2.5 www.mcafee.com
127.0.2.5 mcafee.com
127.0.2.5 liveupdate.symantecliveupdate.com
127.0.2.5 www.viruslist.com
127.0.2.5 viruslist.com
127.0.2.5 f-secure.com
127.0.2.5 www.f-secure.com
127.0.2.5 f-prot.com
127.0.2.5 www.f-prot.com
127.0.2.5 kaspersky.com
127.0.2.5 kaspersky-labs.com
127.0.2.5 www.avp.com
127.0.2.5 avp.com
127.0.2.5 www.kaspersky.com
127.0.2.5 www.networkassociates.com
127.0.2.5 networkassociates.com
127.0.2.5 www.ca.com
127.0.2.5 ca.com
127.0.2.5 mast.mcafee.com
127.0.2.5 my-etrust.com
127.0.2.5 www.my-etrust.com
127.0.2.5 download.mcafee.com
127.0.2.5 dispatch.mcafee.com
127.0.2.5 secure.nai.com
127.0.2.5 nai.com
127.0.2.5 www.nai.com
127.0.2.5 vil.nai.com
127.0.2.5 update.symantec.com
127.0.2.5 updates.symantec.com
127.0.2.5 us.mcafee.com
127.0.2.5 liveupdate.symantec.com
127.0.2.5 customer.symantec.com
127.0.2.5 rads.mcafee.com
127.0.2.5 trendmicro.com
127.0.2.5 www.trendmicro.com
127.0.2.5 housecall.trendmicro.com
127.0.2.5 pandasoftware.com
127.0.2.5 www.pandasoftware.com
127.0.2.5 www.trendmicro.com
127.0.2.5 free.grisoft.com
127.0.2.5 www.grisoft.com
127.0.2.5 grisoft.com
127.0.2.5 clamav.net
127.0.2.5 www.clamav.net
127.0.2.5 free-av.com
127.0.2.5 www.free-av.com
127.0.2.5 www.avast.com
127.0.2.5 avast.com
127.0.2.5 cert.org
127.0.2.5 www.cert.org
127.0.2.5 www.microsoft.com
127.0.2.5 microsoft.com
127.0.2.5 www.virustotal.com
127.0.2.5 virustotal.com
127.0.2.5 update.microsoft.com
127.0.2.5 windowsupdate.microsoft.com
W32/Yimp-A sets the following registry entries, disabling the automatic startup
of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
|
