Threat Database Worms IM-Worm.Win32.XorBot.a


By GoldSparrow in Worms

Threat Scorecard

Ranking: 12,958
Threat Level: 80 % (High)
Infected Computers: 1,009
First Seen: July 24, 2009
Last Seen: November 8, 2022
OS(es) Affected: Windows

IM-Worm.Win32.XorBot.a is the Kaspersky designation for any Trojan from a large family of Trojans. So, to clarify, "IM-Worm.Win32.XorBot.a" is not really the name of one specific virus; it is what Kaspersky calls a whole family of viruses, when it detects them. Other software companies call this family of Trojans something else. For example, Microsoft calls it Backdoor:Win32/IRCbot and other names are used by other companies. This makes sense when you consider that the family of Trojans collectively referred to as IM-Worm.Win32.XorBot.a has been around since at least 2005. This Trojan is nothing new, but it is always being used in new ways.

What IM-Worm.Win32.XorBot.a Does

Basically, IM-Worm.Win32.XorBot.a is a Trojan that opens a backdoor, allowing the infected PC to be connected to a remote controller. Viruses in this family will alter the registry so that they run every time Windows starts. Then, they can either send information from the infected computer to the controller, download other malware to the system, or they can add the infected computer to a botnet. In this case, the victim computer may then be used to stage denial of service attacks, or to send spam, among other things.

IM-Worm.Win32.XorBot.a behaves like a worm, in that it will try to find email and instant messaging contacts on your computer, and then spread itself to those contacts through spam or instant messages. Beginning in January and February 2011, IM-Worm.Win32.XorBot.a has been infiltrating Facebook, and causing links to itself to be posted in the user's status. In this case, the links are supposed to lead to photos of women, but instead they lead to a download of IM-Worm.Win32.XorBot.a. This instance of IM-Worm.Win32.XorBot.a is taking advantage of the redirect system that is used for links within Facebook, so that the link looks like it leads to an image when it actually redirects to an executable file.

IM-Worm.Win32.XorBot.a Symptoms (or the Lack Thereof)

Unfortunately for the owner of an infected PC, there are generally no signs of infection with IM-Worm.Win32.XorBot.a. Only the recipients of the bogus emails and instant messages that IM-Worm.Win32.XorBot.a creates will have any idea that something strange is going on, making this a perfect example illustrating why everyone should use anti-virus software. Also, as a general word of advice, you should never click on a link on a social networking site, or within a chat window, that seems out of place for the user supposed to have sent it. If the presence of a link seems wrong, don't click it!


15 security vendors flagged this file as malicious.

Anti-Virus Software Detection
AVG Dropper.Generic4.CMOF
Fortinet W32/IRCBot.ADAK!tr.bdr
Ikarus Virus.Win32.CeeInject
Kaspersky Backdoor.Win32.IRCBot.adak
Avast Win32:Dropper-FIT [Drp]
NOD32 a variant of Win32/Injector.KPI
McAfee Artemis!6A8AE0AE0049
AVG Generic29.XXC
AntiVir BDS/IRCBot.A.1035
DrWeb BackDoor.IRC.Bot.1894
Kaspersky Trojan.Win32.Jorik.IRCbot.qun
Avast Win32:IRCBot-EXC [Trj]
McAfee Artemis!598CBECBE830
CAT-QuickHeal Trojan.Jorik.IRCbot.qun
AVG Generic29.QGJ

SpyHunter Detects & Remove IM-Worm.Win32.XorBot.a

File System Details

IM-Worm.Win32.XorBot.a creates the following file(s):
# File Name MD5 Detections
1. svchost.exe 72a21eebae8f038084683813a34e83e3 125
2. winsvn.exe 71a1825688da9fbc6e497e0777003564 106
3. wmptv64.exe 3355861fed3b47ae8ac1882f3ab9f951 20
4. wmpdt64.exe 405a24410753538d16f65176fbe32898 13
5. wmiapsrv.exe 52b460939a1f74659363e6473ce5826f 10
6. jusched.exe 4d500e24525d32d18fe6f4c5604f822b 8
7. igfxht64.exe 598cbecbe8303f6810e2a45c94f7af53 8
8. wmpsx64.exe 27c977ec531488a06df33fdbdb19b04f 8
9. wgl23.exe 2d3d361fd06c262aa904e969b6ca31e0 6
10. wmpld64.exe bf98543d86b4c4a6e84c92ef403890f4 6
11. csrssr.exe 6a8ae0ae004930b45cb5d1f34d705fbe 6
12. jusched.exe d9c8110b2b7f3c9b3a0330b546b0cbef 5
13. wmpvt32.exe 19b27007c0b6b0a46e4bf5614117ea7c 5
14. wmpsh64.exe f6cbe63b37e9bdadc24b200d11df3e24 4
15. igfxhk64.exe bba2367cf10aa0caf3b465ddbeb97c76 4
16. xanga.exe 5db6f6352450b63c94e8fa14463e3313 3
17. igfxper32.exe eba1c86285046e369dae00b659ac7800 2
18. irc.exe b9b5c85394a508f20c95f080545e516d 2
19. Rundls32.exe 0aeca0ad26264d0b1051e6dff88d1ded 2
20. hidserv.exe 86004a56381bdac241461b6aeb9c1497 2
21. igfxbr64.exe f4209b19a87743db0e9e5d2269a9b4f6 2
22. svchosts.exe c68822bee0a9091abb64a1e20fba238a 2
23. igfxper32.exe c04100a83026f5ee5fa0f2dd0611d1e7 1
24. dhiwwr.exe 54473907bb7bbc240e32062f8b53f676 1
25. file.exe b34bed528edcd1db24fa017e6dc6a0d0 0
More files

Registry Details

IM-Worm.Win32.XorBot.a creates the following registry entry or registry entries:


Most Viewed