AIM worm plays nasty new trick

A worm found spreading via America Online's Instant Messenger is carrying a nastier punch than usual, a security company has warned.

The unnamed worm delivers a cocktail of unwanted software, including a so-called rootkit, security experts at FaceTime Communications said Friday. A rootkit is a tool designed to go undetected by the security software used to lock down control of a computer after an initial hack.

"A very nasty bundle is downloaded to your machine" when you click on the worm link, said Tyler Wells, senior director of engineering at FaceTime. "This is the first time that we have seen a rootkit as part of the bundle of applications that is sent to your machine. It is a disturbing trend."

Resource center
Identity theft

Experts debate key issues in ID fraud. Get the latest information here.

IM worm and malicious code attacks are happening more than ever before. The number of threats detected for instant-messaging and peer-to-peer networks rose 3,295 percent in the third quarter of 2005, compared with last year, according to a recent report from security provider IMlogic.

In addition to the "lockx.exe" rootkit file, the new worm delivers a version of the Sdbot Trojan horse, said FaceTime, which sells products to protect instant-messaging traffic. Sdbot opens a backdoor on the infected PC. The worm also places several spyware and adware applications, including 180Solutions, Zango, the Freepod Toolbar, MaxSearch, Media Gateway and SearchMiracle, the company added.

All that unwanted software can eat up system resources, slowing down the PC, Wells said. Also, the malicious applications will attempt to disable security programs and change the search page on the user's Web browser, FaceTime said.

The worm was spotted in an AOL IM chatroom and infected one of the PCs that FaceTime uses for worm bait. The company said it also has seen the pest hit other computers. "It is still out there, and it is definitely something the user should be leery of," Wells said. "The rootkit is designed to not be detected, and that is the scary part."

Worms on IM networks can spread rapidly. They appear as a message from a buddy with a link that looks innocent, but in fact points to malicious code somewhere on the Internet. Once the user clicks on the link, malicious code is installed and runs on the computer. The worm then spreads itself by sending messages to all names on the victim's contact list.

The advice to users is to be careful when clicking on links in IM messages--even when they seem to come from friends--and to use up-to-date antivirus software. When receiving a link in an instant message, the best practice is to verify with the sender if the link was sent intentionally or not.

[Jeremybard]

SOlution?

How can I eliminate the virus, supposing I have acquired it?

[Bob Brinkman]

download this

<a class="jive-link-external" href="http://free.grisoft.com/doc/1" target="_newWindow">http://free.grisoft.com/doc/1</a><br />and Keep your virus database up to date. <br /><br />This isn't a bad idea either. <br /><a class="jive-link-external" href="http://www.safer-networking.org/en/download/" target="_newWindow">http://www.safer-networking.org/en/download/</a><br /><br />VERY IMPORTANT!!!! IF you have another virus scanner installed, such as Norton, UNINSTALL IT FIRST!!! Bad things will happen if you try and run two virus scanners at once.

[cyber_rigger]

Common denominator

"How can I eliminate the virus, supposing I have acquired it?"<br /><br /><br />Eliminate the common denominator, Microsoft Windows.<br /><br />I did that 11 years ago and haven't looked back since.

[aabcdefghij987654321]

Nuke and reload

Detection tools will only detect things they know about. If anything else was loaded it'll still be present even if all the rest was removed. The *only* way you can be completely sure of the machine again is to wipe everything.

[texan46]

Solutions?

All we can hope for,as a user of computers and the web, is that we are using a virus protection software that will constantly update itself as each day a new and dangerous threat seems to come out. I disagree with one other persons idea of getting/using ANY free virus program. THINK--if it is free, just how good can it be? DUH!!!! I use a program that I have had confidence in for years ( and by that, I mean over 20 years) and I have been as safe as anyone CAN be. Let's face it.....we are never truly safe until there is a complete halt to anyone creating virii of any sort. In a real world, this will never happen. All we can do is cling to the hopes that whatever virus detection program we use will make every effert to to stay abreast of the threats and create some type of eradicator for us.

[ryeguy8585]

Solution = GET A MAC

Get a Mac and all those stupid problems go away

[the Otter]

True enough.

Been using Macs for 17 years and never had a single virus or <br />malware program?nor do I expect to ever see one. :-)

[jotomaino]

Not necessarily

All you need to do is use common sense. I've never had a virus and I'm on a PC. Just don't click stuff that you don't know where it goes.

[jetcheber]

Not necessarily, part two

The argument of "get a mac and viruses go away" is not really that valid. The reason virus writers write, and especially this one, is to gain access to computers. If everyone starts migrating to Mac, there will be a slew of Mac viruses created, guaranteed.

[aabcdefghij987654321]

MAC = new stupid problems

Stupidity always finds a way.

[jharder]

An odd sense of satisfaction

You feel it when you click that link, watch your computer download <br />the virus, and then sit back while Tiger goes "*** am I suppposed <br />to do with this?"

[dhaynes]

Easy Solution

All you have to do this is copy the link location and paste it to see where the link is actually taking you see if the domain name is even related to the link given by your friend). Also if it ends with '.exe' or a '.scr', you probably shouldn't go to that website.

[digitallysick]

im sure your aol anti spyware caught it ? right?

hahaha of course not, its all garbage, delete aol, get a real isp, and try mac, or linux, save yourself some money

[e2ndo]

Love Your Post!

Thanks for making me smile!<br /> :o)

[Gasaraki]

LOL

Funny and I agree

exactly

Save yourself money.. get some knowledge and get Linux. I am not going to be all uppity and say Linux has never had a virus.. because it has. And that's whats great about Linux.. everyone helping to improve it. And the guy saying no virus for Mac OSX, must not have done their research.. took me less than a minute to google a website and find a virus written for Mac OSX

[Kamokazi]

But then..

Not only is my OS under the grip of a monopolistic tyrant, my hardware is too, and it costs 3-4 times more. Not to mention none of my games and half of my apps won't run.<br /><br />There's a much simpler solution-don't be stupid and click on random links. But if you aren't capable of that, sure, get a Mac.

[jetcheber]

Innovative

No no no, you see when Microsoft forces you to use their products, that's monopolistic. <br /><br />But when Apple forces you to buy a new computer every two years, that's innovation.

That sums it up.

Thats basically sums it up for me too. I don't use Windows because I want to look at the Windows desktop, I use it because I want to run programs.<br /><br />If I was going to sacrifice my software library on the altar of security, I'd do it to Linux and not to Apple. Then I wouldn't have to buy a new system at all. At worst, I might have to replace some hardware.

[Magnus Dredd]

WTF?

Ummm, is it monopoly that you have to buy a new Ford vehicle with a Ford engine? Have HP/IBM/Commodore/DEC/SGI/Sun been monopolistic tyrants due to the fact that they control both hardware and software? And before you mention beige box IBM/HP machines, you don't know enough to reply, since you apparently aren't aware enough of the larger picture to comment. Is it better to have collusion where you can buy a Sony machine, but you MUST use windows on it due proprietary windows-only hardware?<br /><br />Also I'm not sure where those new $125 machines you're referring to are? Minis are $500 new, $480 for me (edu price). It's a cheapo box, but then again the basic OEM x86 boxes with no discrete video memory are too.<br /><br />I don't play that many games, and there's enough available to waste lots of time, including (Unreal Tournament series, ID games, Blizzard games, Civ 3, AVP1&#38;2, Red Faction, Sims, C&#38;C Generals, Ghost Recon, and I don't have all day to list all of them). I really like Red Faction and AVP for LAN games, and it works fine. Games are where the platform is the weakest. If you want a toy machine, build a wintendo (I did).<br /><br />Dearth of Apps? You're kidding right? How many apps do you need? I do just fine between the huge list of proprietary stuff and OSS stuff to boot. Biggest use are: Office, Fire (trillian with inline spell check), VLC, Mplayer (linux port, no windows version), Xcode, iLife suite, Audacity, iTerm (terminal with tabs), SubEtha Edit (network aware, multiple user, document/code editor), Quickbooks Pro, and much more than it's worth to mention.<br /><br />I should probably mention that I work in IT. I manage windows networks. I also run XP Pro (games are 90% of what I use it for), Slackware Linux, FreeBSD, Solaris, OS9 (as a joke, my print server to prove it could be done)... My SGI is currently non-working :( I used to dual boot FreeBSD and 98.<br /><br />With OSX I can use all the apps I used under windows and I have a *nix command line, and secure surfing environment all the time. While I have yet to have either my Slackware firewall hacked or my XP Pro boxes infected, they're not invulnerable. Zero-day exploits exist. If you happen across one you will be infected if you trigger it (which is easier than you might think, with an older version of Outlook/OE you could overrun a buffer in the email and infect a machine apon them recieving the message, viewing it was not required). With the XP boxen I'm very careful. When I got mailed the "I Love You" virus, I opened it up, and took a look at the virus's code, which was kinda interesting.<br /><br />The old Mac hatred BS is old and getting lame. I used to call em Macintrash and all kinds of crap until a more mature friend clued me into OSX. I still hate OS9, but I hate it for valid, firsthand observed failings. Do some research into what the strengths and weaknesses of a platform is before looking stupid. Personally I hate wizards. Show the control panel/config file and leave me alone. Windows gets in my way more every year with the wizards, and that's a firsthand observation.<br /><br />Apple's failing is they do cost more to get decent horsepower, and Network Management software and games are lacking. You're also more limited in hardware choice.<br /><br />Windows failure is that it does everything and seemingly nothing incredibly well. It supports ten tons of hardware with poorly written drivers, ten million poor applications that can trash your registry/dlls. Building a decent box is an exercise in checking on what hardware is solid and has good drivers.<br /><br />PS: Apple could not have written something as cool as OSX. It's updated NeXTstep through and through. So while it may have a candy coat, it's the same OS that was created with security in mind, which is why it was used by the CIA among other agencies.

I got hit with this last week Tuesday

Our machines are fully patched. The web site launched a malware attack via the browser on the computer. It installed the Trojan which was stopped by the virus software which had up to date definitions. So Virus defs were up to date and the pc was fully patch. Yet the malware launched and sent an IM to all IM users and infected some local files which were quarantined. I cleaned up the pc's and the restore folder. Next week I will be installing IPS sofware (Sana Security)to prevent zero day Malware attacks such as this.

[visualbowler]

How can we identify it?

Okay, so we know a virus is out there, but what else is new. What the article didn't say is how to identify the virus... I have never gotten an AIM virus, but there is a first time for everything, what do we look out for?

[wjp]

Just curious

Why does nearly everyone work as administrator? If you run as an unprivileged user, you get a second chance before installing stealth programs. This goes for Mac OS, too. They won't be safe as soon as someone bothers to write the same kind of virus for them.

[richardablitt]

Re: Just curious

Not sure about macs, but for windows most programs have to be run as administrator due to the design of the OS. Setting up users to have admin accounts by default is probably eaiser than them having to put a password in every time they want to run certain programs.

Unfair

You know how much you gave to microsoft or symantec? Thats just an unfair statment.

[n3td3v]

IMLogic report

Be cautious of that recent IMlogic report. It is misleading in the way it relates to worms on Yahoo IM network. While Yahoo IM has had phishing attacks on its network, it has yet to have a worm. Plus, I think it was Websense Security that first broke the news of this AIM threat. I never see CNET talking to Websense Security that much. I have alot of respect for the people at Websense Security, they do a good job.

[Johnny Mnemonic]

Tux et bona et fortuna est...

I'm not a Windows user, consequently I'm not<br />afraid of receiving email or instant messages<br />from total strangers.<br /><br />The box said: "Requires Windows 98/2000/XP/NT, <br />or better." So, I installed LINUX!<br /><br />"In a world without walls and fences, <br /> who needs windows and gates?"<br /><br />Tux et bona et fortuna est. ;)

[cyber_rigger]

software library

Here is my software library.<br />(16,000+ packages)<br /><br /><a class="jive-link-external" href="http://packages.debian.org/stable/" target="_newWindow">http://packages.debian.org/stable/</a><br /><br /><br />Debian comes with this slick install/uninstaller/update/patch tool<br />called synatic.<br /><br /><a class="jive-link-external" href="http://www.nongnu.org/synaptic/action.html" target="_newWindow">http://www.nongnu.org/synaptic/action.html</a><br /><br />Most other Linux distros have something simmilar.<br /><br />I just tried the free version of Xandros.<br />I has an installer that makes Microsoft Windows look pitiful.<br /><br /><a class="jive-link-external" href="http://www.xandros.com/products/home/desktopoc/dsk_oc_download.html" target="_newWindow">http://www.xandros.com/products/home/desktopoc/dsk_oc_download.html</a>

[bugmenot]

Debian

Synaptic is nice, though I prefer Aptitude. Nice thing about open systems is choice as you can switch between them.<br /><br />Aptitude is console based, so faster but not as pretty (unless you count colourful as pretty). Nicest feature is that it will automatically uninstall things it automatically installed when you no longer need them. <br /><br />I'd agree with the point on Windows Installer having had to delve into the guts of it. It is quite ugly. How many primary keys do you need to identify a product or component?<br /><br />The one advantage I thought MSI had over Deb was the ability to embed dependencies, but that can be solved easily in deb. Add a CDROM or web site to Deb (and Synaptic provides a nice menu for this) and the CDROM can also include dependencies which will be autoinstalled as needed.

[RichardET]

Very Scary

It is annoying that average users who simply <br />want to enjoy this amazing technology and <br />entertain themselves chatting with friends have <br />to put up with this virus/worm crap. The way I <br />see it, the only viable solution is to go to a <br />locked down version of BSD/Unix or Linux; only <br />when the number of MS Windows users drops enough <br />that MS stock is in the toilet, only then will <br />MS take this problem seriously and write an OS <br />which is not so vulnerable.

[funk49]

Re: Paranoid

I work in InfoSec and can tell you, telling someone on a board to <br />"go to this link, download this file and disable your Virus <br />protection" is the dumbest advice I've ever heard...and yes, I do <br />this for a living so I AM PARANOID.<br /><br />This is how people on the Internet get OWNED. and how all of <br />their financial data gets sent to some jackass in Estonia or <br />Romania.<br /><br />Good job, and **** Googling for this. It's all about educating <br />people not to blindly follow links like sheep.

[Thunder Johny]

follow links like sheep

<a class="jive-link-external" href="http://www.analogstereo.com/rover_75_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/rover_75_owners_manual.htm</a>

[funk49]

Hard to identify

Windows rootkits are extremely difficult to catch because of the <br />way Windows was designed (user level mode vs. kernel level <br />mode). I'm not sure whether anti-virus tools can even scan <br />kernel level mode space because of the trusted nature of <br />everything that runs in the kernel.<br /><br />One good example are device drivers that you install for <br />hardware support. They reside in the kernel and this is the <br />reason why there are security controls in WIndows to prompt for <br />confirmation before installing drivers.<br /><br />In a nutshell, rootkits are a ***** and terrible to find.

[ajkrause]

HELP ME!!!

My home computer got infected with this a few weeks ago...it continued to work alright for about a week and then it crashed and will not boot. What should I do?? There are a million articles about how bad this is, but not how to fix it. What do you do once your computer has gone into a coma?

[xiandude]

you must make a decision

IF you know how to make a boot disk and IF you can download the latest virus definitions then you MIGHT be able to clean off the virus yourself. Or you can bring it to your local computer shop, where they will probably charge you one or two hours labor to make things right, and that would be a fair and resonable charge. It may seem like a lot of money, but that's the way it goes. Hey, I'm great with computers, but when my plumbing breaks, I call a plumber...

[zoobster]

Poor journalism

"This is the first time that we have seen a rootkit as part of the bundle of applications that is sent to your machine. It is a disturbing trend." <br /><br />If it's the *first time* you've seen this, how can it be a *trend*? Was that a vehicle for being able to place "disturbing" in your article? Why can't reporting done with accuracy and editing?

[xiandude]

not poor journalism

Uhm, dude - the article was quoting someone. The fact that the PERSON said the one item was a trend reflects a misunderstanding on the part of the person quoted, not on the part of the person doing the quoting. FYI, there are many decaffinated brands that are just as tasty.<br />Never thought I would see the day when I would be defending a journalist...

[user7145]

umm ...

That was a quote, it wasn't written by the article's author. Is he supposed to change the quotation?

[etherwhisp]

If you build it, they will trend.

Obviously you do not delve into nefarious activities.<br /><br />Hackers tend to learn from their peer's mistakes as well as their accomplishments.<br /><br />If the rootkit works, they'll exploit it.

[Thunder Johny]

first time

<a class="jive-link-external" href="http://www.analogstereo.com/mazda_truck_b_series_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/mazda_truck_b_series_owners_manual.htm</a>

[Thunder Johny]

bundle of applications

<a class="jive-link-external" href="http://www.analogstereo.com/volvo_240_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/volvo_240_owners_manual.htm</a>

[Magnus Dredd]

wow.... so sincere, so clueless

What you should have said:<br />Buying a Mac is a viable solution. It's strange that windows users generally use the Admin account(root). You'd think Microsoft would invest in something to secure their OS better.<br />-----<br />Root-kits are software specific, the fact that it's a PC (x86 machine) does not mean it's vulnerable. Linux is likewise not affected by this regardless of what the computer is. Likewise, AIM is a free service and does not make Time-Warner money directly. TW spending great deals of money on AIM is probably not in their best interests.<br /><br />As far as administration; I generally prefer to administer in order of preference: Slackware, OSX (mostly from CLI), FreeBSD, some other *nix, Windows NT (2k,XP), WinDOS (95,98,ME), Classic MacOS. OS9 and OSX have virtually nothing in common, especially with regards to administration. OS9 and OSX were not even created by the same company. So talking about adminstering Macs, is like saying administering IBMs, which could mean mainframes or cheapo PCs.

[snowball77]

wow information

Mac may be a viable solution. <br /><br />What do I know of root kits and root users. The kit makes the <br />intended OS vunlerable. <br /><br />We have no choice, its XP or else. AIM is free and because of that <br />we can all breath easy. Unless you put your name on it.

[Thunder Johny]

free service

<a class="jive-link-external" href="http://www.analogstereo.com/jaguar_x-type_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/jaguar_x-type_owners_manual.htm</a>

[erisajd]

Hmm, AOL AND Windoze - a very bad combo

seems to me the major problem is the great unwashed using Windows AND AOL .. . mostly they can be conned into clicking on FEE V-I-A-Gra help me spell links and helping Patrice Mwumba clear 150million from his oil revenues after having his wife and 13 children kidnapped in Botswana.<br /><br />Look - I MUST use a Windoze machine for work, but I do ALL of my home websurfing and 100% of my internet online sales transactions on a Mac. Sorry, you mac haters out there, but my mac laptopn and desktop at home are perfectly safe - even from mac viruses, since nothing can install itself.

[TheGear-20649376645277024]

Why not AOL for Linux

How come AOL hasn't released a Linux version? That's the only thing keeping me on Windows.

[techguy83]

Who says macs cant get viruses?

LOL, they must beleive all those apple supported facts that get published. Look people, I do tech support. I have seen OSX macs with virueses. So, dont say they cant get viruses. I have let a mac user cuss me blue up and down and tell me how stupid i am because macs cant get viruses. Then he runs his little used antivirus program, and lo and behold, he has a virus! <br /><br />Seriously though, Windows needs better security from the average idiots. But, my feeling is, its like the firefox issue. As more people start using macs, the more people will look to write viruses/spyware that will affect macs. <br /><br />Remember people, 90% of virus/spyware writers are doing it for the money they can make selling information. Or to further annoy Windows Users.<br /><br />The true virus writer: A mac user mad that his OS is not number 1 :P <br /><br />Peace

[tdowling]

Tech support, huh?

You probably should do a little more reading up on Macs and <br />virus software. If a person with a Mac has a Windows virus <br />located on the hard drive, a virus checker will find it and flag it. <br />That DOES NOT mean that the Mac was infected. Essentially, it <br />was just acting as a container for the virus which was likely <br />received through an e-mail attachement. However, it is still <br />essentially "live" and can theoretically be transferred to a PC, <br />where it will do its damage.

[volvoman]

Ok listen up

Are you sure that it wasn?t a Windows virus that his antivirus <br />program detected? I would like to know what the program detected <br />it as, because I too work in this field except its not just IT, I also <br />design software programs for UNIX (including Mac OS), Linux, <br />Symbian, Solaris, and Windows. Please share with all of us if you <br />think that Mac OS is not #1 what the virus was called, also since <br />you are in tech support you should also know that viruses cannot <br />spread on a Macintosh computer like it does with windoze if there <br />ever was one written for OS X.

[sr71000]

what??

first of all, those are linux distro's which is a whole different os. Granted they are more secure (at the moment) that's a huge learning curve that's just not an option for the average user. Why not let people know what you're talking about before you just go and sound smart rattling off useless info to people who don't understand you. rather than confuse people, why not try to help?<br /><br />Suse, knoppix, and whatever else he mentioned are linux distro's which would require you to reformat the whole computer and replace windows. With this, you can't run most windows based programs, granted there are free alternatives, but it is a confusing step and I'd suggest finding a forum or community where you can get support before you make the switch. I personally reside at techimo.com which is a great forum if you're looking for one, or you can find a local linux user group to help you through the switch if this is what you decide. If you're interested, try knoppix, which is a bootable cd, so you don't actually have to install...and when you get frustrated or sick of it...just pop the disk out and restart and boom...there's windows :).

[sr71000]

whoops

sorry....replied in the wrong spot....don't know how to delete :( my bad