Windows Worm Uses BitTorrent to Propagate

Written by Smaran on June 26, 2007

A worm that infects Windows XP and, possibly, Vista is said to spread itself over IM applications, like AIM and Windows Live Messenger, and… BitTorrent. Security research firm Sophos says the worm uses “a social engineering scheme” to get people to unknowingly infect their computers with it.

The worm, W32/Impard-A, is a highly sophisticated program with multi-lingual support that can effectively spread itself, delete and send other, rival malware present on the computer back to its creator, and utilise BitTorrent in achieving its goal.

Like most such malware, W32/Impard-A is controlled over IRC. Richard Cohen, a security expert with Sophos, said:

It’s controlled by a remote user over IRC, and is capable of sending itself via AIM and MSN, storing itself as a file called IMG009.jpg-www.imagehosting.com inside a zip file called C:RECYCLERmyphoto.zip, and then sending this zip with a message that promises pictures, written in the same language as the infected computer. This sort of social engineering tries to maximize the chance that recipients will believe it to be legitimate and open the attachment, though this is shot in the foot somewhat by the fact that many of the the phrases have been cut off abruptly.

I have personally seen the messages generated by this worm, when a Yahoo! Messenger-using friend of mine asked me to visit some obscure URL to look at her photos. She uploads all her photographs to Facebook, so I became suspicious right away. It turns out, this worm is so versatile, it can hijack just about every popular IM client and use the signed in account to spread to its contacts. What’s very interesting, though, is how the worm utilises BitTorrent.

Once running on the host computer, the worm searches for the BitTorrent mainline client executable (bittorrent.exe). If it finds the file, it opens up a torrent and, after downloading a copy of itself to a specific location on your hard disk, starts seeding it.

This is the first reported instance of malware making use of BitTorrent to achieve its creators’ ends. If you think about it, it makes perfect sense. Why should the malware author waste bandwidth downloading his worm to thousands of Windows computers around the globe, when he can make his army of zombified ones redistribute it for him, free of cost?

If you don't like torrents try MP3 Fiesta. They hold nearly 67,000 albums from nearly 17,000 artists. Prices are around the $0.10 mark for single tracks with full albums coming in at roughly $1.00. Tracks are available from 192kbps and they take major credit cards and PayPal

Saved in: All
Tags: mainline_client, worm_searches

Previously: Demonoid Offline For a Few Days

Next: uTorrent for Mac is Coming: An Early Review

Related Entries

21 Responses (Add yours or TrackBack)

1 Jun 26, 2007 at 23:17 by raptrex

wat if im using utorrent and pidgen as my bittorent and AIM/MSN clients
will i get infected?

2 Jun 27, 2007 at 00:42 by nt

The article says it only affects BitTorrent mainline.

3 Jun 27, 2007 at 12:48 by CC

I must be missing something but why would Bittorrent be of any benefit if it is already distributed in a peer-to-peer manner using IM in the first place. Is it simply to increase the chances of P2P downloaders picking it up even with no IM clients in place?

Also doesn’t that increase the chances that the source gets traced down via the tracker?

4 Jun 27, 2007 at 22:39 by anonymous

[quote comment="124745"]Also doesn’t that increase the chances that the source gets traced down via the tracker?[/quote]

They could be using ‘tracker-less’ torrents, which wouldn’t need a centralized tracker. http://en.wikipedia.org/wiki/BitTorrent_tracker

5 Jun 27, 2007 at 22:56 by M

I just recently installed it, and it put a “fearcombat” exe file on my desk top, that even in Safe mode I can’t delete?? Any ideas? I only use Xfire and Trillian…

6 Jun 27, 2007 at 23:11 by good-ole-days

[quote comment="125145"]I just recently installed it, and it put a “fearcombat” exe file on my desk top, that even in Safe mode I can’t delete?? Any ideas? I only use Xfire and Trillian…[/quote]

In the good old dos days, there was a trick to delety files, that dont want to be deleted. I suppose it won’t work on XP but you could try:

Start up your notepad and save an empty file, overwriting the nasty one. It has to have the exact same name, including the file extension. This empty file is more likely to be deletable. Don’t ask me why but it worked around ten years ago. Good luck.

7 Jun 28, 2007 at 01:05 by Josh

There is another way to delete any files off your computer in windows xp. If you have home edition you will have to boot into safe mode and then right click on the file and select properties. then click on the security tab and assign your self as the owner of that file. once that is done you can delete the file. if you have windows xp pro its easier as all you have to do is turn off simple file sharing an then you will have access to the security tab in the file properties window.

8 Jun 28, 2007 at 02:33 by eBooksBay

Using Ubuntu will make you fell like a King, try it.

http://www.ebooksbay.org

9 Jun 28, 2007 at 04:04 by cromttu

Just another reason to use a more secure operating system. Linux is invulerable to this and ALL Microsoft virii. These problems and the dreaded “blue screen of death” are the reason Windows doesn’t have a place on my machine any more.

10 Jun 28, 2007 at 13:16 by Steve

“I just recently installed it, and it put a “fearcombat” exe file on my desk top, that even in Safe mode I can’t delete?? Any ideas?”

Try Ubuntu, you’ll never look back.

11 Jun 28, 2007 at 15:03 by BinaryG

ok i agree alot of linux based os`s are far better than windows of any flavor but until people can play the latest games in a nix enviroment linux will always be behind bill and his bull. if you just want to surf the net and use your computer for server, office, and many more things then linux is for you. The thing is a badly configured linux system can leave you more open than having a windows system running.

i personally have been running with a hardware firewall no av only running scans once a month the only virii i have found have been the ones i have installed for testing. what i belive is that people need more education on how to use and secure there os and not think that just having an off the self FW & AV will protect you 100%.

feel free to flame me or agree i dont realy care. my final note is dont trust that spotty kid in your local pc shop that used to work in burger king to give you good advice they normally know nothing.

“you can have the strongest lock on your door but if you have windows they can be broken its the person on the otherside that stops the burglars getting in”
(binaryg 28/06/2007)

12 Jun 28, 2007 at 17:14 by good-ole-days

Windows for gaming, *buntu for everything else. Dualboot is the magic word.

13 Jun 29, 2007 at 19:16 by medigeek

This could be an all-around infection, including msn/yahoo/irc and the rest.
call me crazy but I bet the person that spreads this has something to do with some other msn messenger related worm:
http://medigeek.blogspot.com/2007/06/warning-undetected-msn-worm-pic901com.html

14 Jul 02, 2007 at 21:34 by graph

Tried a program called Unlocker, and it seemed to work. It was associated with the Explorer…yikes!!

15 Jul 09, 2007 at 17:06 by J_DiRT

Newsgroups > Torrents

16 Jul 12, 2007 at 00:14 by Gabriel

I didn’t get the BitTorrent part. Could you please enlighten me?

If BitTorrent needs a *.torrent file to allow leeching (and seeding), how does this worm infect Windows systems through this kind of distribution network? Who will leech the worm in the first place if all infected machines already seed it?

17 Jan 06, 2008 at 13:10 by daexion

Gabriel::

I believe what it does is put a description that is sure to get someone to download it via torrent, and when it gets downloaded and run/opened it does it’s thing again. Rinse and Repeat.

18 Jan 30, 2008 at 13:23 by Nikky

Soo what the safest option ?

TorrentFreak