Worm With Rootkit Package Loose On AIM

Mr0624 writes "According to a recent article on C|Net a new worm is swiftly spreading via AIM to many computers. It delivers a brutal root-kit which bypasses security software and takes control of a PC." From the article: "The worm was spotted in an AOL IM chatroom and infected one of the PCs that FaceTime uses for worm bait. The company said it also has seen the pest hit other computers. 'It is still out there, and it is definitely something the user should be leery of ... The rootkit is designed to not be detected, and that is the scary part.'"

Only Chat room users affected?

[BoldAndBusted]

So, I use GAIM, and I never use the Chat rooms. Should I worry?

Re:Only Chat room users affected?

[Fordiman]

Hmmm... Probably not. However, I would suggest not downloading and running any exe files from unknown sources. Unlike the idiots usin AIM who've been hit with this.

But you know what? I'm not going to be frightened by a worm or virus until someone writes one that works via bittorrent.

IE: The worm is a compact, surreptitious BT/Kademlia client. There are distributions of the nasty part built for Win32, OSX, and Linux, floating on the torrentstream. The nasty part can be any size, and has constantly updated exploit code for numerous pluggable targets (for example, you, as the virus writer, could add a torrented executable for exploiting a new bug in filezilla server, or in Apache, etc.) The virus core would download this and run it on the local machine. It could even be "smart", and detect the target machine's servers before getting and running the exploit. Once the exploit is run at the target machine, it uploads the BT client virus core for the appropriate architecture, and the process starts again.

One could use the usual tools for preventing detection and removal: polymorphic code, torrential code (code that is split on function barriers and resorted in random order on a per-spread basis), multiple copies, Knowing your Permissions (IE: run itself as user X, make user X root/admin, set permissions so that only user X can know the executable and process exist.) Persistent regression (IE: making sure that the executable is in the startup files of the OS) Trojaning, masking (encoding the executable and running itself via a decoder program) ...

Y'all should be happy I don't write virii. I've been fighting with them so long, I think I'd be pretty good at it...

Re:Only Chat room users affected?

[thesnarky1]

Yes.... your friends who don't can still send you the link. If you click it, boom. I've cleaned this off of 5 systems this moonth among my friends, Two GAIM, and 3 AIM. Its a nasty virus, I might add, and I don't think the article does it justice. Yes, it prerys upon P2P, but the worst part is, most users will click that link before thinking, so its free bait. This is social engineering at its worst, and the only way to stop it is to tell your friends and family right now. No, this is not a chain letter, this is a plea for help, I can only reach so many people on my own. For instance, my away message on AIM right now deals with this article, and the virus.
To answer the parent's question, as long as X person out there has this virus, you are affected, because they can send you the link.

Re:AIM client, or AIM protocol?

[Kadin2048]

Well this is true, it could just as easily be spread via email or something, but the relation to AIM is that once the virus (trojan, whatever you want to call it) gets into your system, I believe that it sends out messages to all of your contacts with the link, propagating itself.

At least this is how several other IM viruses have been spread. I noticed that just this weekend I got several IMs from people that I haven't talked to in years (but who apparently still have me on their lists) which were nothing but links to .COM or .EXE files.

One of them was being hosted at this address:
http://home.earthlink.net/~two4tea/mc-110-12-00000 80.exe (It has since been removed -- the link is dead)

And I didn't get the other URL that was going around. I downloaded the file and opened it up in a hex editor just out of curiosity (I'm on a Mac so it wasn't possible to execute anyway), but there didn't seem to be any obvious text strings or anything.

What I wonder is how the file got up on that web site to begin with; it seems rather farfetched to believe that a virus could find out that someone has a Earthlink web page and upload itself, then send out that link, which makes me think that the person spreading the virus probably planted it there after somehow gaining access to the account, and then letting the version of the virus which points to that URL out. When the linked file is removed the virus stops propagating, but by then has already spread and nabbed a few unwary users. Unless the program has the capability of 'phoning home' to get the URL of the latest location to send out to everyone, that is. The file was a few hundred KB, so I suppose it's entirely possible that it has that capability; you could fit quite a bit of code into something like that.

Not really my area of expertise, but perhaps someone who knows something more can elaborate on how these things work?

Re:How to remove it. The answer.

[rhizome]

I can vouch for it.

And who are you?

Re:duh

[Billly+Gates]

Try explaining that to grandma? After all her antivirus software said nothing was installed right?

Explaining about api's only makes you look incompentant if your an It professional because your not speaking down to their language to build confidence.

I had a rootkit last month. Nothing could get rid of it but a full fdisk/mbr where I lost everything. It was MBR based and would append itself when running windows which made it nearly impossible to delete.

Watch as spyware makers do this in the future to prevent anyone from deleting their wares.