21 December 2005
santa claus instant messenger worm
Santa IM Worm Making a List
By Jim Wagner
A worm targeting the three major instant messaging (IM) networks is spreading its payload to buddy lists.
The IM.GifCom.All worm shows up as an innocuous-seeming URL in a chat message screen, featuring a link to what appears to be a Santa Claus site, said IM security vendor IMlogic, which first discovered the worm Monday.
In reality, clicking on the link starts a download that embeds a rootkit (define) on the user's PC. The payload within the rootkit often goes by the name of gift.com, security experts at IMlogic said, and it immediately begins scanning the user's registry, file system and Internet cache.
The rootkit also contains a keylogger (define) that records the keystrokes the user performs, generally used by malicious software writers to collect sensitive information such as credit card numbers, login information and passwords.
The malicious software also attempts to shut down the user's antivirus software and make several networking calls, possibly a repository maintained by the malware (define) writer to collect keystroke information.
The worm may also try to propagate itself to the user's buddy list.
While IMlogic rated the IM.GiftCom.All worm as a medium risk, the worm is unusual in that it targets the three major public IM networks -- AIM, Yahoo IM and MSN Messenger -- as well as AOL's ICQ (define) service. Most IM worms target one or two platforms at a time.
According to statistics maintained by IMlogic, MSN Messenger is the most popular platform for IM-based attacks, accounting for nearly 44 percent so far in 2005. AIM is second on the list at 26.5 percent.
click here to view all google news stories about the santa claus im worm