The worm, W32/Impard-A, is a highly sophisticated program with multi-lingual support that can effectively spread itself, delete and send other, rival malware present on the computer back to its creator, and utilise BitTorrent in achieving its goal.
Like most such malware, W32/Impard-A is controlled over IRC. Richard Cohen, a security expert with Sophos, said:
It’s controlled by a remote user over IRC, and is capable of sending itself via AIM and MSN, storing itself as a file called IMG009.jpg-www.imagehosting.com inside a zip file called C:RECYCLERmyphoto.zip, and then sending this zip with a message that promises pictures, written in the same language as the infected computer. This sort of social engineering tries to maximize the chance that recipients will believe it to be legitimate and open the attachment, though this is shot in the foot somewhat by the fact that many of the the phrases have been cut off abruptly.
I have personally seen the messages generated by this worm, when a Yahoo! Messenger-using friend of mine asked me to visit some obscure URL to look at her photos. She uploads all her photographs to Facebook, so I became suspicious right away. It turns out, this worm is so versatile, it can hijack just about every popular IM client and use the signed in account to spread to its contacts. What’s very interesting, though, is how the worm utilises BitTorrent.
Once running on the host computer, the worm searches for the BitTorrent mainline client executable (bittorrent.exe). If it finds the file, it opens up a torrent and, after downloading a copy of itself to a specific location on your hard disk, starts seeding it.
This is the first reported instance of malware making use of BitTorrent to achieve its creators’ ends. If you think about it, it makes perfect sense. Why should the malware author waste bandwidth downloading his worm to thousands of Windows computers around the globe, when he can make his army of zombified ones redistribute it for him, free of cost?
