W32.Antixbot.A


Aliases: W32/Chode-AC, W32/IRCBot-XB
Variants: Antixbot.a

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America, Europe, Asia
Removal: Easy
Platform: W32
Discovered: 13 Jun 2007
Damage: Medium

Characteristics: This malware is a type of Worm which attempts to take over the functionalities of Windows Live Messenger to deliver its payload to other systems. The W32.Antixbot.A may also hijack the Internet Explorer Web browser and unlock an unsecured backdoor in the machine.

More details about W32.Antixbot.A

The presence of the W32.Antixbot.A malware in an infected system is marked by the presence of the svchost.exe file in a randomly named subfolder of the System folder in the Windows directory. Once executed in the targeted system an error message is displayed to the computer user where the message contains the text "Profile doesnt exist!" and the message box title "Error". A corresponding link for the executable file is placed in the Start Menu folder of the user's profile. The Windows Registry keys are likewise modified to make sure that the W32.Antixbot.A program is launched every time that the computer system is started or rebooted. The malware searches for the location of the pref.js in order to modify its contents and change the default homepage associated with the Mozilla Firefox Web browser.

According to previous instances of infections, the www.imtools.org website is closely associated with the execution of this malware. The Windows Host file may also be modified by this malware to control the behavior of how Web browsers access addresses on the Internet. The W32.Antixbot.A malware periodically clears the DNS cache to ensure that changes to the Windows Host file are regularly refreshed and remain effective. The antiphishing filter protection of Internet Explorer is disabled by this threat using the associated Windows Registry key. The W32.Antixbot.A program continuously sends links to other computer systems using the Windows Live Messenger service. Simultaneously, it opens a backdoor without the user's knowledge to give its malicious author more control over the infected computer system.