Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 12 Sep 2005
Damage: Medium

Characteristics: The W32.Starimp application is a worm that multiplies through peer-to-peer networks, steals password information, and could execute and download remote files.

More details about W32.Starimp

The W32.Starimp program is a worm that multiplies through peer-to-peer networks, download and execute remote files, and steals password details. When the W32.Starimp is opened, it makes “%System%\mcfCC4.dll” and “%System%\mcfdrv.sys”. The worm puts the “mcfCC4.dll” file into some randomly chosen processes. It makes registry subkeys so that it opens each time Windows starts. The W32.Starimp adds the values "dir0" = "012345:C:\WINDOWS\System32\User Local Files" and "DlDir0" = "C:\WINDOWS\System32\User Local Files" to the registry subkey, so that it multiplies making use of the “Imesh” peer-to-peer application. It also adds the value "dir0" = "012345:C:\WINDOWS\System32\User Local Files", "dir0" = "DlDir0" = "C:\WINDOWS\System32\User Local Files", "DlDir0" = "C:\WINDOWS\System32\User Local Files", and "DisableSharing" = "dword:00000000" to the registry key, so that it multiplies using the “Kazaa” peer-to-peer application.

The W32.Starimp duplicates itself making use of the filenames like “%System%\User Local Files\NAV2005_Keygen!.exe”, “%System%\User Local Files\NAV_updates__05.exe”, “%System%\User Local Files\XXX_teens_16-18.exe”, “%System%\User Local Files\WindowsXP boost.exe”, “%System%\User Local Files\photoshop__2005.exe”, “%System%\User Local Files\anal_sex_photos.exe”, “%System%\User Local Files\TheBat!7.51.256.exe”, “%System%\User Local Files\NortonAntiVirus.exe”, “%System%\User Local Files\DrWEB_Key092007.exe”, “%System%\User Local Files\LAN_hacker_ver2.exe”, “%System%\User Local Files\NeT_KILLER_3.84.exe”, “%System%\User Local Files\julia_XXX_video.exe”, “%System%\User Local Files\Kaspersky_KEY08.exe”, “%System%\User Local Files\HACKER'S View 2.exe”, “%System%\User Local Files\Mozilla_1.9.927.exe”, and “%System%\User Local Files\ProfessionalICQ.exe”. It tries to steal account information by observing Internet Explorer for [http://]www.e-gold.com/[REMOVED] web page. W32.Starimp collects passwords saved on the computer. This worm makes “%System%\drivers\updR.ies4”, “%System%\drivers\updR2.ies4”, “%System%\bkp.ies4”, and “%System%\tickcnt.bin” data files. It could download and execute remote files.