Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 31 May 2005
Damage: Medium

Characteristics: W32.Pinkton.A was discovered on May 31, 2005. W32.Pinkton.A is a worm component that propagates through America Online Messenger or AIM. Most operating systems affected by this worm are Windows 2000, 95, 98, Me, NT, Server 2003 and XP.

More details about W32.Pinkton.A

If W32.Pinkton.A is executed, it performs several actions to propagate itself. First, the worm drops a clean MSWINSCK.OCX file under the %System% folder. Then, it registers the MSWINSCK.OCX file under regsvr32.exe /s %System% folder. The MSWINSCK.OCX file is a clean ActiveX library from Microsoft used that enables the worm to spread itself in the IM spreading routine and requires libraries to be executed properly. After the worm copies [4 random letters].exe using random name of 4 letters, it adds certain values to the system registry subkeys. Some of those values are added as infection markers while others are used to prevent the execution of some firewall programs. The worm continues to do more actions. It deleted itself and run the dropped copy in the %System% directory with the use of the parameter “Code Pink”. This parameter allows the worm to produce the index.html and [7 random letters].com files. After that, the worm sends a selected message to the first 20 contact once AIM is actively running in the computer. The worm also opens a back door HTTP server listening on Port 80. It also runs DDoS attacks against a selected target.

The infected computer can run slower than usual. This may be due to the malware programs using up system resources. The constant download of files may also consume a large amount of Internet bandwidth. The available disk space may decrease drastically. Pop-up and pop-under messages may appear whenever the system is connected to the Internet. Shortcuts and links may appear in the desktop. Visited web pages and search terms can be recorded and sent to a remote user. These may be used to send more targeted advertising. An unauthorized remote user can also control the infected computer.