IM-Worm.Win32.XorBot.a
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 16,203 |
Threat Level: | 80 % (High) |
Infected Computers: | 1,013 |
First Seen: | July 24, 2009 |
Last Seen: | September 15, 2023 |
OS(es) Affected: | Windows |
IM-Worm.Win32.XorBot.a is the Kaspersky designation for any Trojan from a large family of Trojans. So, to clarify, "IM-Worm.Win32.XorBot.a" is not really the name of one specific virus; it is what Kaspersky calls a whole family of viruses, when it detects them. Other software companies call this family of Trojans something else. For example, Microsoft calls it Backdoor:Win32/IRCbot and other names are used by other companies. This makes sense when you consider that the family of Trojans collectively referred to as IM-Worm.Win32.XorBot.a has been around since at least 2005. This Trojan is nothing new, but it is always being used in new ways.
Table of Contents
What IM-Worm.Win32.XorBot.a Does
Basically, IM-Worm.Win32.XorBot.a is a Trojan that opens a backdoor, allowing the infected PC to be connected to a remote controller. Viruses in this family will alter the registry so that they run every time Windows starts. Then, they can either send information from the infected computer to the controller, download other malware to the system, or they can add the infected computer to a botnet. In this case, the victim computer may then be used to stage denial of service attacks, or to send spam, among other things.
IM-Worm.Win32.XorBot.a behaves like a worm, in that it will try to find email and instant messaging contacts on your computer, and then spread itself to those contacts through spam or instant messages. Beginning in January and February 2011, IM-Worm.Win32.XorBot.a has been infiltrating Facebook, and causing links to itself to be posted in the user's status. In this case, the links are supposed to lead to photos of women, but instead they lead to a download of IM-Worm.Win32.XorBot.a. This instance of IM-Worm.Win32.XorBot.a is taking advantage of the redirect system that is used for links within Facebook, so that the link looks like it leads to an image when it actually redirects to an executable file.
IM-Worm.Win32.XorBot.a Symptoms (or the Lack Thereof)
Unfortunately for the owner of an infected PC, there are generally no signs of infection with IM-Worm.Win32.XorBot.a. Only the recipients of the bogus emails and instant messages that IM-Worm.Win32.XorBot.a creates will have any idea that something strange is going on, making this a perfect example illustrating why everyone should use anti-virus software. Also, as a general word of advice, you should never click on a link on a social networking site, or within a chat window, that seems out of place for the user supposed to have sent it. If the presence of a link seems wrong, don't click it!
Aliases
15 security vendors flagged this file as malicious.
Anti-Virus Software | Detection |
---|---|
AVG | Dropper.Generic4.CMOF |
Fortinet | W32/IRCBot.ADAK!tr.bdr |
Ikarus | Virus.Win32.CeeInject |
Kaspersky | Backdoor.Win32.IRCBot.adak |
Avast | Win32:Dropper-FIT [Drp] |
NOD32 | a variant of Win32/Injector.KPI |
McAfee | Artemis!6A8AE0AE0049 |
AVG | Generic29.XXC |
AntiVir | BDS/IRCBot.A.1035 |
DrWeb | BackDoor.IRC.Bot.1894 |
Kaspersky | Trojan.Win32.Jorik.IRCbot.qun |
Avast | Win32:IRCBot-EXC [Trj] |
McAfee | Artemis!598CBECBE830 |
CAT-QuickHeal | Trojan.Jorik.IRCbot.qun |
AVG | Generic29.QGJ |
SpyHunter Detects & Remove IM-Worm.Win32.XorBot.a
File System Details
# | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
---|---|---|---|
1. | svchost.exe | 72a21eebae8f038084683813a34e83e3 | 125 |
2. | winsvn.exe | 71a1825688da9fbc6e497e0777003564 | 106 |
3. | wmptv64.exe | 3355861fed3b47ae8ac1882f3ab9f951 | 20 |
4. | wmpdt64.exe | 405a24410753538d16f65176fbe32898 | 13 |
5. | wmiapsrv.exe | 52b460939a1f74659363e6473ce5826f | 10 |
6. | jusched.exe | 4d500e24525d32d18fe6f4c5604f822b | 8 |
7. | igfxht64.exe | 598cbecbe8303f6810e2a45c94f7af53 | 8 |
8. | wmpsx64.exe | 27c977ec531488a06df33fdbdb19b04f | 8 |
9. | wgl23.exe | 2d3d361fd06c262aa904e969b6ca31e0 | 6 |
10. | wmpld64.exe | bf98543d86b4c4a6e84c92ef403890f4 | 6 |
11. | csrssr.exe | 6a8ae0ae004930b45cb5d1f34d705fbe | 6 |
12. | jusched.exe | d9c8110b2b7f3c9b3a0330b546b0cbef | 5 |
13. | wmpvt32.exe | 19b27007c0b6b0a46e4bf5614117ea7c | 5 |
14. | wmpsh64.exe | f6cbe63b37e9bdadc24b200d11df3e24 | 4 |
15. | igfxhk64.exe | bba2367cf10aa0caf3b465ddbeb97c76 | 4 |
16. | xanga.exe | 5db6f6352450b63c94e8fa14463e3313 | 3 |
17. | irc.exe | b9b5c85394a508f20c95f080545e516d | 3 |
18. | igfxper32.exe | eba1c86285046e369dae00b659ac7800 | 2 |
19. | Rundls32.exe | 0aeca0ad26264d0b1051e6dff88d1ded | 2 |
20. | hidserv.exe | 86004a56381bdac241461b6aeb9c1497 | 2 |
21. | igfxbr64.exe | f4209b19a87743db0e9e5d2269a9b4f6 | 2 |
22. | svchosts.exe | c68822bee0a9091abb64a1e20fba238a | 2 |
23. | igfxper32.exe | c04100a83026f5ee5fa0f2dd0611d1e7 | 1 |
24. | dhiwwr.exe | 54473907bb7bbc240e32062f8b53f676 | 1 |
25. | file.exe | b34bed528edcd1db24fa017e6dc6a0d0 | 0 |
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.