[ISN] Santa Claus worm strikes IM clients

InfoSec News isn at c4i.org
Thu Dec 22 02:05:28 EST 2005


http://www.networkworld.com/news/2005/122005-santa-claus-worm.html

By Tom Krazit
IDG News Service
12/21/05

The Santa Claus worm doesn't care whether you've been naughty or nice,
but it's making a list of PCs to infect this holiday season, according
to a threat alert released by security firm IMlogic on Tuesday.

A new instant messaging worm called IM.GiftCom.All is making the
rounds this holiday season. Rated as a "medium" threat by IMlogic, the
worm attempts to get users of the instant-messaging networks run by
AOL, Yahoo and Microsoft to visit a seemingly festive Web site
featuring Santa Claus.

The message comes from someone already present on a user's "buddy
list," said Art Gilliland, vice president of products for IMlogic. It
contains a supposed link to a URL starting with
"santaclause.aol.com/....."

However, clicking on that link takes users to a different Web site and
triggers the download of a malicious file to a user's PC, Gilliland
said. That file is created using rootkit techniques, making it
extremely difficult to detect with conventional antivirus or operating
system tools, he said. Once resident on a system, the file tries to
shut down anti-virus software and collects personal information that
can be redistributed over the Internet.

IMlogic has not recorded an instance where that personal information
was actually sent out to the Internet, but the program does log
information, Gilliland said.

Users are advised to avoid clicking on anything sent through an IM
system unless they have verified that the file or picture is
legitimate and the sender intended to pass it along, Gilliland said.  
IMlogic recently identified an IM bot that produces canned assurances
that a file is legitimate when the recipient replies to check its
authenticity, so it's important to take extra care to verify the
sender's intentions, he said.





More information about the ISN mailing list