Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm With Rootkit Package Loose On AIM

Posted by Zonk on from the aol-and-a-rootkit-ouch dept.

Mr0624 writes "According to a recent article on C|Net a new worm is swiftly spreading via AIM to many computers. It delivers a brutal root-kit which bypasses security software and takes control of a PC." From the article: "The worm was spotted in an AOL IM chatroom and infected one of the PCs that FaceTime uses for worm bait. The company said it also has seen the pest hit other computers. 'It is still out there, and it is definitely something the user should be leery of ... The rootkit is designed to not be detected, and that is the scary part.'"

5 of 438 comments (clear)

  1. Noteworthy tools by nmb3000 · · Score: 5, Informative

    I suppose that anyone in the computer tech/repair shop industry might appreciate tools like Rootkit Revealer right now.

    Hopefully Microsoft's project that hasn't been released yet will show up soon. They also have a few hints to detect rootkits installed on a system including two Slashdot links.

    Hooray for AOL.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
  2. Old.. by Chickenofbristol55 · · Score: 5, Informative

    This is actually pretty old news, one of my friends got this a few weeks ago (he's not a geek, and he called me because I build this custom pc for him). It's quite easy to fix though, a good Ol' system restore fixes it, and there are many programs that can search for, and delete rootkit and other trojans (i'm talking about other programs besides antivirus programs, which sometimes have a hard time deleting these buggers). The trojan was called directX.exe, found in windows/system32 folder. My suggestion: don't click on a link from a friend before 1) you know what it is 2) and make sure that it doesn't say that your downloading a video file, when it's obviously a batch or exe file. This virus is not really a big deal, you just have to have half a brain to deal with it.

    --
    public class null extends java applet { System.out.print ("Tabula Rasa"); }
  3. Re:Only Chat room users affected? by AnamanFan · · Score: 5, Informative

    Assuming you're on a Windows operating system.

    Use of GAIM will only prevent propagation of this worm. There are more levels at play here.

    The worm is actually installed from a link you would click on from an infected IM. Nothing fancy here, it's just a simple HTML link. Clicking on this link will call up your web browser. What happens here depends on both the browser, patches, browser settings, and you. In IE, it's likely that the executable will just run it. Or, ask you to download/run said file. The latter true for Firefox or Opera as well as IE.

    In any case, if your computer runs this executable, the computer in infected and it's game over. BUT, you won't be spreading the worm to others since you're using GAIM. The spreading of the worm depends on the AIM (or AOL?) client running on the computer.

    That is until the worm writers also write for GAIM.

    --
    AnamanFan - Trying to find the Truth, one post at a time.
  4. Re:duh by killa62 · · Score: 5, Informative

    Actually, rootkits go out of their way to be undetected.
    (Shamelessly stolen from grc.com)
    "What happens is, they essentially modify the way the OS itself works. They're compromising the operating system kernel. You know, in operating system terminology we have the notion of a kernel, which is the OS core. And then you've got applications which run as sort of clients of that operating system. So a program you're running, you know, Corel Draw or Outlook or whatever, that's a client of the operating system. Well, so are the spyware scanners. So when you're running even a spyware scanner, it's saying to the operating system - in fact, for example, there are two API calls that's "find first file" and "find next file." So if you ever want to, like, do a directory listing, you'll say "find first file *.*," and it gives you the first file. And then you successively call "find next," "find next," "find next," until it returns no more files. That's all there is to it. So that's - so anything that's scanning your system is basically doing that.

    Well, imagine if something altered the way the "find first" and "find next" operated, so that it was intercepting the response back to you, out of the operating system, back to any application that was asking, so that if it was about to report one of its own files, it would call - it would say, whoops, and call "find next" again on your behalf, skipping over that file. Suddenly any program running on the operating system will not see any of those stealthed, rootkitted files. They just disappear. "

    link
    http://www.grc.com/sn/SN-009.htm

  5. IE and i.e. by stonedonkey · · Score: 5, Informative

    IE: The worm is a compact, surreptitious BT/Kademlia client.

    Took me a second to realize that "IE" meant "id est" and not Internet Explorer. And "id est" means "that is," not "for example," also known as e.g. (exempli gratia).

    Handy cheat sheet:

    i.e. = id est = that is (not commonly captitalized, or puncuated as an acronym like IE)

    e.g. = exempli gratia = for example

    There's your pendantic lesson of the day :p