W32.Otpoh is a computer worm that uses MSN Messenger services to spread a copy of itself over the Internet. The worm may also propagate through removable USB drives and opens a backdoor on the infected computer.
Alias: Worm:Win32/Nusump (Microsoft), Generic BackDoor.u (McAfee), Malware.Otpoh (PCTools), Trojan.Win32.Buzus.iira (Kaspersky Lab), W32/Nusump-C (Sophos), Trojan.Win32.Buzus (Ikarus)
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
When executed, this worm will drop an executable file under Temporary folder of Windows. Then it manages to run its process every time Windows starts by adding an entry on the registry.
Once inside the computer, W32.Otpoh will open a backdoor port and frequently connects to an Internet Relay Protocol (IRC) to receive commands. Aside from allowing a remote attacker to manipulate the computer, this worm may also steal sensitive information including the following:
- Computer identification
- Computer name
- User-name of the presently logged-in
- Version of the operating system
- Antivirus product name and version
- Version of W32.Otpoh currently installed on infected computer
This gathered information will be sent to a remote attacker and serves as reference for succeeding attack.
W32.Otpoh also steals user name and passwords if victims are currently logged-in on applications like FileZilla, MSN Messenger and Mozilla Firefox.
The worm may spread by sending a copy of itself to contacts it gathers from MSN Messenger applications. Locally, W32.Otpoh may propagate by infecting any connected removable drives.