IM-Worm.Win32.Opanki.d

0

• Update Kaspersky Anti-Virus database, if it does not yet detect this malware.
• Delete all files detected as IM-Worm.Win32.Opanki.d.
• Reboot, if necessary.

This worm is written in C, and is packed using MEW and PE_Patch. It spreads as a link across the AIM network and has Trojan-Dowloader capabilities. The packed body is 3 973 bytes in size.

MD5: 4d0a71e9e37a73bd27932e13d03b7ec0

This worm arrives as a link via the AOL Instant Messaging network. When executed, it copies itself to the Windows directory as NITEAIM.EXE and changes the file attribute to hidden.

The worm adds a key to the registry to ensure it is executed at the Windows startup.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 WinNite="C:\WINDOWS\NITEAIM.EXE"

The worm will connect to an IRC server to await the following commands:

• Receive message to spread across AOL Instant Messaging network.
• Download (and execution of) files.

The worm spreads messages across the AIM network. The IRC master will specify which message will be sent across the AIM network. The message is completely variable. Normally, these messages contain an <a href> piece of HTML code which tries to trick the user into thinking s/he is clicking a different link.