Bot Under Construction

has href="http://www.facetime.com/pr/pr060918.aspx">announced
that they have seen evidence of a new Internet worm that spreads via
AOL Instant Messenger.  It comes in the guise of a picture,
that is astually an executable file.  



The user first sees an ordinarily link, but when the link is clicked,
it downloads a file called image18.com.  Details follow...


Like many IM worms, W32.pipeline first appears as an
instant message from a familiar contact, luring users into clicking on
a link with a contextual phrase. The IM message "hey would it okay if i
upload this picture of you to my blog?" downloads a command file called
image18.com, which is disguised as a JPEG. Running the file results in
csts.exe being created in the user's system32 folder, part of the
Windows operating system.



The infection has the potential to call, via the Internet Relay Chat
(IRC) channel, numerous other files that are constantly being updated.
Depending on the files downloaded, the infection may create an unwanted
service named RPCDB, open up SMTP port 25 (used for email) and attempt
to connect to a file upload site. In addition, some files attempt to
exploit ADS (alternate data streams). Users may also potentially end up
with a rootkit installed on their PC as a result of this chain of
infections.



Once the user's PC is infected and under control of the botnet, it can
be used to propagate the worm to other users using the same highly
refined contextual message, for example "hey is it alright if i put
this picture of you on my egallery album? " which will download another
command file, again disguised as a JPEG, on additional computers.



The Facetime news release does not clarify one thing.  An href="http://www.informationweek.com/story/showArticle.jhtml?articleID=193003061&cid=RSSfeed_IWK_All">article
posted on explains that the exploit is unfinished.
 After installing itself, the worm attempts to contact serves
that have other executable files on them.  But the other files
are not yet present, so the worm does not yet do anything bad.
 The bot, so to speak, is still under construction.



Facetime points out that users can protect themselves by not clicking
on links sent over IM.  They also point out that people who
own Facetime software are protected against this threat.  They
do not  point out that Linux and Mac OS are
not vulnerable to this threat.



Tags

More like this

I like MySpace, it brought me over from Friendster and now I use it almost exclusively. I've found old friends, new friends, and also a nasty virus which hijacked my profile last week and used my name to post a bunch of crapola ads on the Message Boards. I wondered what the heck happened, how did…
tags: Harry Potter, computers Those of you who love Harry Potter might be deceived into downloading a worm onto your computer via infected USB memory drives. If users plug these drives into their Windows PCs, they are liable to infect their machines with the appropriately named Hairy-A worm.…
Photographer Scott Rowed has penned an excellent essay on his experience making the switch to Linux, and he's agreed to place it here as a guest post. Please read it and pass it on to people, school districts, small island nations, and others who may benefit: Switching to Linux by Scott Rowed…
Photographer Scott Rowed has penned an excellent essay on his experience making the switch to Linux, and he's agreed to place it here as a guest post. Please read it and pass it on to people, school districts, small island nations, and others who may benefit. This is a repost from about two years…

Thanks! Extremely useful post!