W32.Yimper


Aliases: Generic3.SOR, Troj/VB-DUS, W32/VBWorm.NGM
Variants: Win32.Worm.VB.FI

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 30 Nov 2005
Damage: Low

Characteristics: The W32/Yimper program is a worm that propagates through Yahoo! Instant Messenger and AOL Instant Messenger by sending messages, which contain a link and when opened, it directs you to a malicious site. The sytems affected by this worm are Windows 2000, Windows 98, Windows 95, Windows Me, Windows Server 2003, Windows NT, and Windows XP

More details about W32.Yimper

The system folder and adds values to the registry sub keys in order to execute the worm each time that Windows starts. The worm sends messages to all Yahoo! Instant Messenger and AOL Instant Messenger contacts with an attached file that contains a link and once clicked, it directs you to a malicious web site. If the attached file is opened, the worm downloads a copy itself on to the computer. It has been claimed that the worm can be downloaded as self-extracting archive that contains sI.exe (copy of W32.Yimper) , YSBAgree.exe (Detected as W32.Yimper) and 1004270.exe (copy of Download.Adware) file. The above files are executed only when 1004270.exe is as well executed. After that, it attempts to download updates to itself from the particular URL that shows dialog box.

The dialog box is entitled Cheat Toolbar andcontains thyis message “Cheats Explorer Add-In. Click "I AGREE" to upgrade your system with the custom toolbar. After installation, the toolbar will make your surfing experience a breeze. By clicking "I AGREE" you are accepting the Licence Agreement and installing IST toolbar which is supported by additional softwares.” Once you click on the agree on the dialog box, it then downloads a copy of adware.istbar from a particular URLs that directs you to another malicious web site.