Bot Under Construction

has href="http://www.facetime.com/pr/pr060918.aspx">announced
that they have seen evidence of a new Internet worm that spreads via
AOL Instant Messenger.  It comes in the guise of a picture,
that is astually an executable file.  



The user first sees an ordinarily link, but when the link is clicked,
it downloads a file called image18.com.  Details follow...


Like many IM worms, W32.pipeline first appears as an
instant message from a familiar contact, luring users into clicking on
a link with a contextual phrase. The IM message "hey would it okay if i
upload this picture of you to my blog?" downloads a command file called
image18.com, which is disguised as a JPEG. Running the file results in
csts.exe being created in the user's system32 folder, part of the
Windows operating system.



The infection has the potential to call, via the Internet Relay Chat
(IRC) channel, numerous other files that are constantly being updated.
Depending on the files downloaded, the infection may create an unwanted
service named RPCDB, open up SMTP port 25 (used for email) and attempt
to connect to a file upload site. In addition, some files attempt to
exploit ADS (alternate data streams). Users may also potentially end up
with a rootkit installed on their PC as a result of this chain of
infections.



Once the user's PC is infected and under control of the botnet, it can
be used to propagate the worm to other users using the same highly
refined contextual message, for example "hey is it alright if i put
this picture of you on my egallery album? " which will download another
command file, again disguised as a JPEG, on additional computers.



The Facetime news release does not clarify one thing.  An href="http://www.informationweek.com/story/showArticle.jhtml?articleID=193003061&cid=RSSfeed_IWK_All">article
posted on explains that the exploit is unfinished.
 After installing itself, the worm attempts to contact serves
that have other executable files on them.  But the other files
are not yet present, so the worm does not yet do anything bad.
 The bot, so to speak, is still under construction.



Facetime points out that users can protect themselves by not clicking
on links sent over IM.  They also point out that people who
own Facetime software are protected against this threat.  They
do not  point out that Linux and Mac OS are
not vulnerable to this threat.



Tags

More like this

I like MySpace, it brought me over from Friendster and now I use it almost exclusively. I've found old friends, new friends, and also a nasty virus which hijacked my profile last week and used my name to post a bunch of crapola ads on the Message Boards. I wondered what the heck happened, how did…
This comes from Paul Phillips, who, in addition to being one of the world's best poker players, is also a computer wizard. He's also not a guy prone to overstatement, so I'm just going to copy it here because I think this is very, very important and I want to hammer home the point to everyone who…
The next interesting variant on graphs is directed graphs, or digraphs for short. A digraph is a graph where each edge distinguished between its source and its target - so an edge is from one node, and to another node. Unlike a simple graph, where if A is adjacent to B, then you can follow the…
Frequent readers here know we are fascinated with the similarities between computer viruses and real viruses. Both use their unwittingly infected hosts (computers or host cells) to make copies of themselves and in the process can cause varying degrees of sickness. It's hard to give any solid…

Thanks! Extremely useful post!