Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Santa IM Worm Installs Rootkit Payload



 By: Ryan Naraine
2005-12-20
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A Christmas-themed worm attack is on the loose, affecting instant messaging networks from AOL, MSN, Windows Messenger, ICQ and Yahoo.

A new Christmas-themed worm attack is underway, delivering an offensive rootkit payload over the AOL, MSN, Windows Messenger, ICQ and Yahoo instant messaging networks.

The worm, identified as IM.GiftCom.All, was discovered by researchers at IMLogic Inc.s Threat Center spreading via IM and attempting to trick users into clicking on a malicious URL.

The link lures the target into visiting a harmless Santa Claus Web site, but actually installs a rootkit payload to the victims machine, IMLogic said in an advisory.

Resource Library:

"The rootkit payload is often named gift.com and when executed hides itself on the users system, attempts to shutdown desktop anti-virus software and starts collecting the infected users information for broadcast over the Internet," the company explained.

Researchers say automated IM worm is inevitable. Click here to read more.

Once a machine becomes infected, the worm takes control of the users buddy list and broadcasts itself to all available recipients.

IMLogic rates the threat as "medium" and warned that propagation is possible on the five most popular IM networks.

It is not yet clear if the worm is associated with IRC bot families used in previous IM worm attacks.

The appearance of a Christmas-themed worm comes as no surprise.

Virus writers have found a sweet spot with the use of slick social engineering techniques to trick computer users into downloading nasty malware programs.

Earlier this month, a worm on the AIM network was seen carrying on text-based conversations with potential victims if a first attempt at infection failed.

If the victim replied to the IM to doubt the legitimacy of the link being sent, the worm replied with the following message: "lol no its not its a virus."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Santa IM Worm Installs Rootkit Payload
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}v㶒s{̎Sj^-c[nsY$MRt&?1/Oo 3LAhy6P|o%o92t<9)G4ò|WR99Ͱ5zz"[1v8RMe0Ǔ4ߚ1=ͩ:6|q3.EiѶuV"lG :qrn?xF93ӡ`BәmiueU_Zr nvO|wSb UakiP9qUL(usLr(EB~=_Cj&j eB_,8X_KQ% zh@7? dt2eTh^ ;Gi7o,AB>88`uӚ& #D>L@%X\093cfM9T"3Q=MV1tGZv.f\y"%oUP\胒_& ꊬwYM Q#wy,M \peRDQ01SEXh΋!eO^ C34֌p.\Ri%.8VG9MGZ9M"eYKPP:ag0/Ltj[-a[E*u3+(nL>@:5թ[SC7gPPI8hƋmܣ<3UI7B@>~{3 ݺOnE+tÇ95|SD5  l"]LRul;>l d $4 0<sx0ܙ[S/.A CˋF0P B^~:aQ(9N@4ur`)QiN5-uhZ`Q 4aCoEF˥s }Q #0HQt"D% T h4AG0EENm9bo$?HHpX.VpLljp (7]H8w@.%s㑰\J٣"BsYa7// LSRdAӴe ,="`MjTB[ᛥLKak Sn,`oJR]Q*5xIoB{4250BtH{43-` [X& '*ǔ4$f.*q<10rǞs,:TľNP =Ǻ3#:\F3#-5g=01}c^ sG2Qa4 ƉMH|fB=q؛8X#EVu]4yPh! #=0'SqÙ=5q ԇ¡&9|QzY2ۿ)|("+Q7˔L kZ2H\1ϧ2*hsspe{rKsFM'W{HU_IHcX`D@ /0}35bFJf zhE梳x_lʷX nk^ӛA-t\]K> MVl M-=/ԔE"B]@Aq..yg?CU\fx,"jXUcjx멡Td\j{||30bR~2Ejw 8pF#}q8Nw7Tz~)~ƍa_0t .tȕH`x䃋 L*`Bٲ ٣10ݛ,]Q&SZ91[ P{iT9RRkEBZG Ȭt &Cf75"ч֠u YԊ2}f{omhDс(dyDF^{\p 'Y|8ڳ"ZJŌ}v3ZUx9 |MMW2ED3yxrC골%[L/Sw"R İ\. yo D*Q}M:jV_:nM('\Vr,0ƹ!> ?/$(Rd-kqg@Zʦ2U-U|^`.RMԵ 4DD GQ>=U710 F,j}>JSOT'7-JbZe)~gQC.'E/: tXvϠ%ߴspoF'= iK#[b]R/MSf\=^!%Sgo_ܙ 9w6*%E)vW@lj%WnG;>&ra:: *O4Ϡ[$Kb]LV[_Tj vE=NIX;HHˈz֎d˻\lp Im[xly`KXXcִr3N`afV,VhnOt vWyAIz%b |* NOj0 Ϛd2 ;?B77!)*t{N[OxHquU_u{~{yjNڝg(L z݇?* oB!) Lj~~py"t.Zbs!,Ѹe'@*$ppܰW'&ƸCO^YY jt. ׬ mm}7xPZplBan߽p.Z;%q{Ny-$W֝ u B@!hސBfLl/ Iu1`` 鈓N):Lbϻ>4h0K]'KQ+RJ)5F&zRG6o'u1f} Rt4zUr:ÝpER}C<\<Ͳh<"md=QtJqvI#`ybSӃ یr3 pS|y!lV+ 7V_"HtUݏkԛC21uݰ#N MUsN&"1ŧ '6ܳ BYaqB{ G!m'imiRjTK)utJ)SBt+02YOqPU2'I^R6Tc$U(8%!4b"C+wZowպܜ47<ѭަmxzIuc!ϝNY+ Dę/iLA1;ǭp G7la}P>WZ4ҳo)˫h|Du`8c<aWYA>( ;g'R僃@WS fO:V`M{䄧q?I,8N*tb(L_@n!Bݱ?@l;{꓍~;O:vЛ;#S6! =V@O@hIPޙc5p#L/zv~ِ1AohkV< B~o'[ yP>hn!ZCώ$ؘ&ኤ JAVP,,2˞(vɔ^ Oƭ`@T6CGz fF=-Tv{cs7^<@ǒUo42]wm߀Lqmej,$.?/q-@k"kyNJ<^88آp ,$~z,BDӨg< ^׮zt߳=jvÏ9"k ?үQ@/-z 豣T? G~"A+[Fn3f Z FZOkXg+Ol"?BWc#ZT>9bL0eHVk Vt#Η&-M3\s'W|% rUj4?As*C72U%<|}'b{ZƷIٛdž9[W@EbS\y_tHI4{0`\Cd.gAaM 9BY!6YVUcRPq l rF+:,7<8V13).qQ>~zkQتHW?ۧi/ne3_p(JX,UURE(MyJ$eV/?%WCArsJ,qCnXW(uvpP0bP݅Mv2~r9E ~7Y$9FCa HǣgJ(*]_T- &48@d4[%^"6T FSJ8ڬ|YxёnPXN aѾ#k. t#ށ!7ڍ|$kj)V%\{i9lWtCBGYqa)1^DU j8UW5Ҹ0Γ!KSO9?Pzέa 4R.\g'XZ!l RtEDQg )WbU'rVm7wq ˂RK\ِ]0m-e|AQ*Ze"~!V6q,_^a׶.إ).x]nmȄfZ9IxmwH./zg ?{Ϲ&s,s! u~4 $ \0bZT EÛ݊*TPG8Gs~3@GrgEU,0'c+!P EIn,5>0ТbLa' 0.ۢa7ois[]JPG#Y8VQMNj~&ܬ5t#X|pum3u]˚rlؗ/bj1ǏfePǩ3J/bw? jZ4frIzooooo&=Y͵e0.{0BcT{m0bTu>Y0bv0Se!h0Z:Bȶؗ67n{M4;ܖm_H K¥W93_8~LRݲD _ؽOlaظ5R^ߟ-;0 L[P1`O]H!߰@Zek~}AscW5 YQ'b/ܘęhw1_u:>iM<IMs#'sg~wbK8:C/f~ٚVw6uu\k[ξ&.⫽uiwZǃCsgsF53M+\!ɍ@ZrS&ȹ}|P6-X P|J0  c (`[#.|.FE..-+xԹ3BJheeyeu?ۧ^N;7`dH3@5ja-Ior?ӷdD)4Rf7Z`p3`xXSpUz~~yc6h'LgW&;R^/e#ɑgq, -˚Vړ!Niq1wт,Þ@uyzUcň1:#܌T<.Յ/n;CТѿ q/+} ұ/EZ+hV;dLŵf,k`񕆤ΐ=1֑5RO]til'٫Q}mc;4‹`S\E7+,[/1t7vi6F|H܉M&>[# l8Dw):]U; jahC6xbqNq)"?Hq[aʧ1ۃq=>Fo w{~O/noJI ѵf#>Şr\-3N\ϳ p}jE Н Da0VdTϷn,o Teow;\DNt|+,١47iι,V+Onuζky)nR**Uz$-qGpALƾ9e/`|̤{V$(cXtA c@ ӡW۪mݨk鶆̝mvS%4I`~fϣK{YF^ B1u^ciJqsM[.{=c<%&hPþ3=F+[^mZ[{;afX &xΦV-r5!F,[;׿s"oHPpHT[Mu@&(5PсHz*#y#WǍ_C*qq{Z^nY"׆L[>=ZIHhǴ %L͘J< EOH LW<0՘0F ʪM;I.P}sY?e=`U/_\}bAIzb)Yא51 Yoc3q.\ &IGyg%UMQT}x[+}Y)_h48zl@1"6r?Ec4*&H»`GSojeDĤ.$~w5`G * ;B,bqD['酀Id2s kD /ulߴ?#?:};ozxh2kzM>0Cߑ7UHD~> gi>=!ANl0Vl8cXO!h#jٟ 0ِG ߰2 b&s)؇cC|w57?__'Rԝ04pFJ["}ɹףMN퓄p40a@x$td 7psIQ"9ghY֬.j|xc '+*(q5"1V#*g rD8BbS:("*@`g*o !C *@Đ͌$y3 M`:x:G;(SKm.q~uփWe~tthdj],5<ɚMG$#[Cg0&?U%X9Pl\Kwj}P\<_ !52wüޝ/"}|Na8ZrzK5*/I]@*1ˮSƲ\N4cox8UhVXű60M蕴B9^4r##zFC>}`?QXf9^9nIQst/Q{Ǽ%_B{{sپ\sSӃw;*:եU&ڋJYreAN/[mj ʩg46皅ew^;OK"飱8/[ű3~|J,Q!F^-]ecurrԊsm59^L7%ǎB `[}vR2*#Mf&7 )n}>e; MjV*Qm;H^"үӏ[]HHGNg N+ҏ!8;s>+?durͳNvz$윬H:+CLrE:YϽ\ފO);]bE\@/V_XA \@/Vb^^OWAي@?V_@Ŋt{ sB~..W_ BtAtW+qV^?=hoE{ފ++ WC>hGU7+YQ Kub 9k]KhEz9Z9.zQJΜ8wc[j/Eթka$Hx2K&C0_4B5a+H_ ˕xĻ+L#ݞ\~2 e>C71KW],tUn0^]?&S(7p~i;ZُϋGsw3+ؠ \|1_b 9dԿ&OxV&?q>4; YcАh4|s&0N!1Jحo( |Qfƃk`%]GOW5ӯn7+66⻝1 9PfArl(TJR[TJݎwrM/bQcDË Ȋ(KT#}ˡ`tP.U&) K}g= P .5M^t FPu'!4pC>FJ5n%~CDŽi(X16h[o24f.2^8hzxyc,mc(2onJ9ܙF6؞: iJŻ?0}fܛL:8AÆ,s6NĽ[Z0 cN>@Oӌ3ӄ[Ìc,߁zvl4@;4Xl93lAxmTu9z*BM 匫ySz~w0.u[\3u{D4p{aluq12<ɰx6X6ŠǠe@ q0бGH7p'-KXv;iKGha5! Q vM@E_u&Dp6RjMh`Frd9+:f xJ cjZ8<۪9ti߆"4 3E.*"d`x\OL_=TEq…<^5E⟐|d'O2[cO]vBI3:ܴg4|E&Nz> a"~0q?K+_yt xD'Sh/I/;1[0XK`" cOil@`  +VgBg|bÖ́ xe7M[c e4p픃0!r:'0G ?,\QN-NkY!8AޘE0Pcq UWW319 ( H^0}J垑$Gg_ |zy*b37g^l(VI⦛m+sR C%R,ok6Oeј[I,ŗ =>L@ʻ9śo'b/[MzK9]&LŽiUⷓKn4Ǻ AZ+yJ>? &T|ޭk8mN`tZD89fAm'{s<˖]RZȶz SO~l]O(Co݂k\y`qiP70C]ug ѫv&٬cYƧj2LiuC(Dђ0=eJ_Fu:hY W96 -| 0qGĦVnK-ic,IE0+e;1K P``Odi;i3hjSwOl}j˳fSW<2Ym0w6LK#]ۚ':K$~Al=y{̴-WهbpAɖ{f:ąNmE7=lTt,`Gie`Z+r kㆣ[-x~{պ uKe!N_ (atgȰO/Xު8mێGL-ϰ-`j3xmEtAVǠxm񝨞L|xmE>m+09FbSL_'Il=q4հ(`^|:G8:1F`]}ٱwRȤ{i y4 !\xYe~҅ NE1k &i"[ǻR ǃAb0F c:;FrMaN*S*|J>-h\lu;U{r,S{d0'¾Er츏4QǺ|pP0ҫrXtlPoz;|:g`({B=Ay@~V!8ǧ\]> @݄68t.@W6 5zYC.F A(ixU6^O!0^f@ i-jQ%xtxsR.C795A }(˦ yh aF.tR0Kg,9ڀO|>WL휊.xnַ";Es 33GO{̲--@W$oč|E=#Ћ]NS=sDv7x ' G?Nqw lҗ1,&p n3/OL༿HưY )S#BO9ESÁjPY~3Rv!7@z {{vT͠П AJ!cF~"[h*|kAQ>r`]i6IB;,W7) h2R~k8N.V+5yc 0V84+~@uG =hi<;UeRx~{fYH }crFf dY)S?H4FWVhb566iyd+3SA #_)JUE?\Exp,EY7,#,+ KKTv@Gtk''fd>z}1Va)q PCY0u>  Tw·BML !DIzk8`nNLכo81/kWϠ 跄A泥tgԴkvh6?*##*,R;鼿^I{~N.f+G~YD«J5zJ=q'4RēܠDz35 7;uAkt̳PADZ@(C\P[bf4mqfp\Rq42 ]LNȚZd #.@3@` !b]XSqOomůV.KhF#vOoA{cM|'ՂyDpEM9ڥ:0#Z7oϦCVQtlfp/"MȟI4Vi$;0lÈȻnTJ@JXU*;\-`M B4`iǎc&ĩ fvYGbr|#BiTw4]<1 w\4whrʂ{\)qU.nxAC! 0d dK\Cf?`e_8m]t?rZ} ] -,UK:#HJT~y|?.I>wSwUQ'BB}4p^ ('4Us>oA5V7vC0 m%_őw*3]BY(D4;߷[c}br jE[!b5pap/۰NA2[,jBtbrpfh2 u*&]'Ҷidkiwh2 +/Eϰ7w?JQA