Quantcast
PCWorld.com is upgrading some back-end systems. Some site features, such as user registration, may be temporarily unavailable.
Subscribe to magazine

AIM Worm Spreads

Security firm traces source to Middle East hackers.

Matthew Broersma, Techworld.com

  • 0 Yes
  • 0 No

The W32/Sdbot-ADD worm infecting some users of AOL Instant Messenger is more dangerous than previously thought, according to Facetime Security Labs, the researchers who discovered the worm in October.

The rootkit installed by the worm, lockx.exe, is allowing systems to be further compromised by a group of attackers based in the Middle East, according to Facetime researchers. The attackers are installing additional malicious code capable of stealing personal information, according to the group.

At least tens of thousands of systems appear to be infected, Facetime said. The company's president and chief executive, Kailash Ambwani, said that the network of infected machines could, like other large botnets, be used to carry out denial of service attacks against particular Web sites.

"We have delivered detailed research information to the U.S. federal authorities and are fully cooperating with their efforts," Ambwani said in a statement.

Facetime has published an online scanning tool that can detect and disable lockx.exe, the company said.

How Worm Works

The worm attacks via AIM, asking users to open a link, apparently at the request of one of the user's "buddies" or contacts. Clicking on this the initiates infection sequence, which starts with the dropping of a number of adware files, and the rootkit software itself, lockx.exe.

Once on the PC, the malware attempts to shut down antivirus software, install software that allows the PC to be remotely controlled by IRC, and open a backdoor for future attack. It also contains an SMTP engine with which to collect email addresses.

Facetime's newer research has found that lockx.exe is being actively used as a backdoor to install additional malware on systems. The additional malware can steal usernames, passwords ,and other information, and can be controlled via the IRC messaging system, Facetime said.

One of the files installed via lockx.exe, called ster.exe, specifically allows attackers to upload, download and monitor the infected PC, said Facetime. Other files allow theft of Outlook Express passwords, keystroke logging, and launching additional attacks on Web sites or networks.

A group in the Middle East appears to be behind the additional malware, according to Facetime. The group has compromised servers in various countries around the world to distribute the new malware.

  • Recommend this story?
  • 0 Yes
    0 No

"AIM Worm Spreads" Comments

Dell End of Year Deals

People who read this also read:

  • 15 Minutes to a Secure Business Get the Secure in 15 toolkit starting with the "15 Minutes Month-at-a-Glance" calendar. McAfee will send you additional tools and tricks to stay protected around the clock.
  • A Buyer's Guide to Data Protection Implementing data protection products and processes can be daunting. Make the right decisions by exploring what is available and what makes sense for your organization. Use this simple guide to evaluate different vendor offerings.

Sponsored Links