Worm With Rootkit Package Loose On AIM

Mr0624 writes "According to a recent article on C|Net a new worm is swiftly spreading via AIM to many computers. It delivers a brutal root-kit which bypasses security software and takes control of a PC." From the article: "The worm was spotted in an AOL IM chatroom and infected one of the PCs that FaceTime uses for worm bait. The company said it also has seen the pest hit other computers. 'It is still out there, and it is definitely something the user should be leery of ... The rootkit is designed to not be detected, and that is the scary part.'"

Only Chat room users affected?

[BoldAndBusted]

So, I use GAIM, and I never use the Chat rooms. Should I worry?

Re:Only Chat room users affected?

[Fordiman]

Hmmm... Probably not. However, I would suggest not downloading and running any exe files from unknown sources. Unlike the idiots usin AIM who've been hit with this.

But you know what? I'm not going to be frightened by a worm or virus until someone writes one that works via bittorrent.

IE: The worm is a compact, surreptitious BT/Kademlia client. There are distributions of the nasty part built for Win32, OSX, and Linux, floating on the torrentstream. The nasty part can be any size, and has constantly updated exploit code for numerous pluggable targets (for example, you, as the virus writer, could add a torrented executable for exploiting a new bug in filezilla server, or in Apache, etc.) The virus core would download this and run it on the local machine. It could even be "smart", and detect the target machine's servers before getting and running the exploit. Once the exploit is run at the target machine, it uploads the BT client virus core for the appropriate architecture, and the process starts again.

One could use the usual tools for preventing detection and removal: polymorphic code, torrential code (code that is split on function barriers and resorted in random order on a per-spread basis), multiple copies, Knowing your Permissions (IE: run itself as user X, make user X root/admin, set permissions so that only user X can know the executable and process exist.) Persistent regression (IE: making sure that the executable is in the startup files of the OS) Trojaning, masking (encoding the executable and running itself via a decoder program) ...

Y'all should be happy I don't write virii. I've been fighting with them so long, I think I'd be pretty good at it...

Re:Only Chat room users affected?

[thesnarky1]

Yes.... your friends who don't can still send you the link. If you click it, boom. I've cleaned this off of 5 systems this moonth among my friends, Two GAIM, and 3 AIM. Its a nasty virus, I might add, and I don't think the article does it justice. Yes, it prerys upon P2P, but the worst part is, most users will click that link before thinking, so its free bait. This is social engineering at its worst, and the only way to stop it is to tell your friends and family right now. No, this is not a chain letter, this is a plea for help, I can only reach so many people on my own. For instance, my away message on AIM right now deals with this article, and the virus.
To answer the parent's question, as long as X person out there has this virus, you are affected, because they can send you the link.

Re:How to remove it. The answer.

[rhizome]

I can vouch for it.

And who are you?