Slashdot Mirror

← Back to Stories (view on slashdot.org)

Santa IM Worm Hits AOL, MSN and Yahoo

Posted by samzenpus on from the bad-santa dept.

elmtree95 writes "CNET News reports A Santa Claus worm is attempting to trick America Online, Microsoft MSN and Yahoo instant-messaging users into clicking on a file that delivers unwanted software to a victim's computer. The IM.GiftCom.All worm attempts to dupe IM users into thinking an acquaintance has sent them a link to a harmless Santa Claus file. IM security vendor ELMTree Software has released a patch to their ChatPatrol (www.chatpatrol.com) product to address this issue."

31 of 149 comments (clear)

  1. I bet it isn't as good as: by Anonymous Coward · · Score: 4, Funny

    "lol, it's not a virus."

  2. Presents by lord_sarpedon · · Score: 2, Funny

    Oh boy! A Bonzi Buddy! Just what I wanted. Thank you, Santa.

    --
    "Strangers have the best candy" -Me
  3. Gee, not even Santa Claus loves Mac users. by crovira · · Score: 2, Funny

    Gee, first post.

    As a Mac user I feel really lonely.

    --
    MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
  4. gotta love free advertising by Anonymous Coward · · Score: 5, Insightful

    elmtree95 writes.... IM security vendor ELMTree Software has released a patch to their ChatPatrol

    'nuff said

    1. Re:gotta love free advertising by BadassJesus · · Score: 2, Interesting

      "IM security vendor ELMTree Software has released a patch"

      ... and we all hope (in reverend silence) that they havent released the Santa Claus worm itself also

  5. Dear Santa.w32... by Anonymous Coward · · Score: 5, Funny

    Please, please don't bring me any gifts. The bicycle you fired at me last year from your bicycle gun really tore up my insides.

    -- AIM user

  6. How does it work? by the_humeister · · Score: 3, Interesting

    Since the user has to click on a link, I assume the browser type matters?

    1. Re:How does it work? by setirw · · Score: 3, Informative

      Not necessarily. It could be linked to an EXE or PIF, which a naïve user would open. If the target ignores all browsers' warnings about harmful EXEs, in combination with Windows's hiding of file extensions... (somefile).jpg .exe is something I've seen many times. By the way: Does IE prompt that PIF/BAT files are potentially dangerous when downloading? How about VB scripts?

      --
      This message printed on 100% post-consumer recycled electrons.
    2. Re:How does it work? by thesnarky1 · · Score: 2, Informative

      If you remember the other big IM worm a few weeks (months?) ago, browser didn't matter. Just user stupidity. So, as I said then, tell your friends and family to NOT CLICK LINKS! Unless of course, whomever im'ed them can repeat a phrase, such as "I AM a bot, you stupid fool!!!" Security at its finest.

      --
      Want to find other gamers to play board and role playing game
    3. Re:How does it work? by Anonymous Coward · · Score: 3, Informative

      It's a '.com' (like command.com) file being distributed. User clicks accept to start the file transfer. On completion, the IM client turns the filename into a clickable link which, if clicked, starts the malicious component.

  7. Santa's Motives by setirw · · Score: 5, Funny

    better !pout !cry
    better watchout
    lpr why
    santa claus town
    cat /etc/passwd >list
    ncheck list
    ncheck list
    cat list | grep naughty >nogiftlist
    cat list | grep nice >giftlist
    santa claus town
    who | grep sleeping
    who | grep awake
    who | egrep 'bad|good'
    for (goodness sake) {
    be good
    }

    Dang, I guess he really meant the last three lines!!

    --
    This message printed on 100% post-consumer recycled electrons.
    1. Re:Santa's Motives by setirw · · Score: 2

      That should be:

      santa claus <north pole >town

      I forgot to submit it as plain text :(

      --
      This message printed on 100% post-consumer recycled electrons.
    2. Re:Santa's Motives by ErichTheWebGuy · · Score: 5, Funny
      Personally, I woulda said:
      mv /etc/northpole/santaclaus ~/town
      But that's just me :P
      --
      bash: rtfm: command not found
  8. Ho ho ho. by mctk · · Score: 2, Funny

    Harmless Santa Claus file? More like insubordinate Claus file.

    --
    Paul Grosfield - the quicker picker upper.
  9. It's a /. story... by Trailer+Trash · · Score: 3, Insightful

    And an advertisement, all in one convenient package!

    --
    Do you have ESP?
  10. What's next? by queenb**ch · · Score: 4, Funny

    Maybe we can push the Sony root kit out via IM to all of Sony's employees. Anyone know if they have a corporate IM server?

    2 cents,

    Queen B

    --
    HDGary secures my bank :/
  11. Technically You're Wrong by Afecks · · Score: 5, Insightful

    It delivers it to anyone... it only works on Windows.

    Sorry but if you want to nitpick, be prepared to receive the same.

  12. Re:User's fault again by mattmacf · · Score: 2, Informative
    taking the warnings off doesnt help when a worm installed across several thousand idiots starts DOSsing a site im trying to get to. licking a 110v wire shouldnt knock my power out.

    regardless, it looks like just another silly aim worm (albeit with a festive holiday flair).

    --
    I only mod funny =D
  13. Re:WTF? by User+956 · · Score: 3, Funny

    You've never heard of a .Claus file? You can open it with Stuffit Expander.

    (Yeah, I never have it installed, either)

    --
    The theory of relativity doesn't work right in Arkansas.
  14. ironic? by Afecks · · Score: 2, Funny

    how ironic seeing as its the holiday season and people are susceptible

    I don't think that word means what you think it means...

  15. Watch out! by techno-vampire · · Score: 2, Funny

    Oh, you better watch out,
    You better not cry,
    You better not chat,
    I'm telling you why:
    Santa Worm is coming to town!

    --
    Good, inexpensive web hosting
  16. Santa has less love for Linux users... by cloricus · · Score: 4, Funny

    You guys are the lucky ones as you can just ignore this lump of coal. Us poor Linux users will be up all Christmas night hacking away at wine to get this worm emulated so we don't feel left out.

    Convincing the Windows crowd that we are compatible is such a pain... :(

    --
    I ate your fish.
  17. It can't just be me.... by ShyGuy91284 · · Score: 3, Funny

    The thought crossed my mind that the "delivers unwanted software" hyperlink would be a hotlink to the virus. I know if I were sadistic enough I would have done it in samzenpus's place.....

    --
    In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
  18. How much does a story like this cost? by trance9 · · Score: 4, Insightful

    So is slashdot running paid stories now? How much to I have to pay to have a story of my choice run and mention my company like this?

    1. Re:How much does a story like this cost? by detlev409 · · Score: 2, Interesting
      Agreed. I call shenanigans. Check out Elmtree's profile. This account was created with the express purpose of promoting the ChatPatrol product.

      This is nothing more than an underhanded marketing attempt, piggybacking on a genuine virus alert. OOoo...the shadiness...

      --
      Howdy.
    2. Re:How much does a story like this cost? by detlev409 · · Score: 4, Informative
      Agreed. I call shenanigans. Check out Elmtree's profile. This account was created with the express purpose of promoting the ChatPatrol product.

      This is nothing more than an underhanded marketing attempt, piggybacking on a genuine virus alert. OOoo...the shadiness...

      --
      Howdy.
  19. Re:ChatPatrol by Anonymous Coward · · Score: 4, Informative

    It's not even a ripoff of Gaim, it's just a lousy non-free, non-Free, Windows-only plugin for the commercial IM clients, being hawked using an account which is employed for that purpose only. elmtree95's one and only /. post.

    Does it install a clue for users silly enough to download and run executables being pushed by anonymous strangers?

    "IM security vendor." How pathetic.

    Editors, please don't put spam stories like this on the site. That's all it is.

  20. IM Logic withholds details of Santa Claus worm, un by themepsp · · Score: 2, Interesting

    Please read this post regarding IM Logic: http://security-protocols.com/modules.php?name=New s&file=article&sid=3135 "If you have been looking for more details on the IM.GiftCom.All threat, you won't find them. Why, you ask? Two reasons, first, IM Logic didn't release any and second, you are most likely not an IM Logic customer. IM Logic withholds details of Santa Claus worm, unless you're a customer IM Logic withholds details of Santa Claus worm, unless you're a customer On Dec. 19th IM Logic released an advisory about a worm spreading through all major IM clients. See advisory for details, or lack thereof. You will need to search for IM.GiftCom.All at http://www.imlogic.com/im_threat_center/index.asp If you have been looking for more details on the IM.GiftCom.All threat you won't find them. Why, you ask? Two reasons, first, IM Logic didn't release any and second, you are most likely not an IM Logic customer. IM Logic did not publicly release any actionable information that would help the community at large. Not because they don't have the details, but because they only share that with paying customers, according to Tim Johnson, the Director of IM Logic's threat center. Mr. Johnson also said that "this is not unethical" and he doesn't see what all the fuss is about. All you have to do is buy the company's product and you will be protected. Johnson did mention that they have a process they follow. They first create the signatures for their products, and then they notify all the affect vendors. Don't worry; the vendors will fix it ASAP. Then they tell the antivirus vendors about what they know. Hopefully they can detect and stop any current infections, if not...your screwed. Then you as a non-customer have the opportunity to wait for a signature to come out by your antivirus vendor so that you can tell if a hacker has a rootkit loaded in your environment. Oh wait, darn it, I almost forgot, according to the official advisory, antivirus vendors can't detect Santa Claus; apparently Santa can put your antivirus to sleep. I always thought Santa knew if you were sleeping, not able to put you to sleep; but I digress. So what is the world and security community supposed to do? Well according to IM Logic, pay them the money and they will take care of it for you. Hmm, I wonder where else we find this type of behavior. Hold on guys, Toni the Bull is at my back door, brb, need 2 make my "insurance payment" AFK.... Back, sorry it took so long. I just hurt my knee; I was short on my "insurance payment" this month. Anyway, haven't we been down this road before? Security companies should follow the same procedures that ethical and responsible researchers follow when disclosing vulnerabilities. Most companies are responsible, those that aren't... should we reward them by purchase order? Not this security guy. "

  21. Re:WTF? by MntlChaos · · Score: 2, Informative

    except they're not random people. You'd think they were your friends.

  22. Re:Say it with me people by Beale · · Score: 2, Insightful

    Yeah! And why should pressing down the accelerator in my car make me crash into stuff?

  23. Re:User's fault again by BigDogCH · · Score: 2, Insightful

    I agree totally. Everyone in my family has been warned about not clicking on links in IM, and openening Email attachments, and .......................

    Yet they don't think it is their fault when they get a virus/worm/spyware.

    Unlike the ignorant Linux fanboys on /., I do not think it is their fault just for using Windows, but they need to be somewhat responsible. The sad part is, even after 10 years of Windows problems, I still have family that insist they don't need security updates, firewall, and the like.