Aliases: W32/Imaut
Variants: W32.Imaut.A, W32.Imaut.J, W32.Imaut.B, W32.Imaut.U

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: North America, Asia, Europe
Removal: Easy
Platform: W32
Discovered: 06 Jan 2007
Damage: Low

Characteristics: The W32.Imaut malware is an Instant Messenger worm. This worm can propagate through instant messengers such as Microsoft Windows Live Messenger, AOL Instant Messenger and Yahoo! Instant Messenger. It is capable of downloading remote files that may be dangerous to the infected machine and disabling Registry tools and the Windows Task Manager.

More details about W32.Imaut

Once the W32.Imaut worm is running in the infected machine, it will automatically retrieve files from several websites then save these files in the compromised machine. It will then add some values to a registry entry so that it will run when the operating system starts. Likewise, it will add more values to another registry entry so that a new homepage for Yahoo Messenger and Internet Explorer will be set. This worm will also watch out for application windows which have the strings “Windows Explorer” or “My Computer” and will attempt to connect to the website it has downloaded files from. The W32.Imaut malware also watches out for open Windows Messenger, Yahoo messenger and AOL instant messenger windows and attempts to alter their security settings.

The worm will then send instant messages to the contacts of the user’s installed instant messaging tools containing the site and others which the worm connects to. When a user clicks on one of the sites, the malware will download a duplicate of itself and then show random ads. It will also try clicking on Adbrite advertisements and windows with strings “Active marketing website for ads – Microsoft Internet Explorer”. It then attempts to disable security associated processes and then redirects to a specific website when it has successfully connected to the site it downloads files from. This worm is also known to exploit the Microsoft MDAC Function Broadcast Response Buffer Overrun Vulnerability so it can download itself to other systems. Removing the W32.Imaut’s infection requires the deactivation of the System Restore function in Windows XP or ME. Go to the Windows Task Manager and then end the processes related to the worm. Lastly, delete all the values added by the worm to the Registry.