The newest seasonal parasite is underway. The recently discovered GiftCom worm rapidly spreads through instant messages sent using popular chat programs including ICQ, AIM, MSN Messenger and Yahoo! Messenger. This pest, also known as Santa IM, attempts to persuade IM users into visiting a harmless Santa Claus web site, but instead silently installs itself to the system. Although the distribution technique the worm uses is not new, GiftCom comes up roses, as most users do not expect nothing dangerous from their buddies, especially if messages that they purportedly sent look like pleasing Christmas wishes. But the worm itself is not very sweet. Although it presents a lot of different “gifts” (or should we say payloads), all of them are meant only for hackers.
GiftCom comes with a rootkit that hides all harmful processes and files from most antivirus tools. First of all, the worm disables some Windows essential components and terminates running antiviruses and security-related programs. Then it loads a backdoor component, which provides the attacker with unauthorized remote access to the compromised computer. The intruder can log user keystrokes, set up a hidden FTP server, intercept network and Internet traffic, contact specified web resources and steal user sensitive information. GiftCom can also change the web browser’s default home page and download a variant of the Sdbot worm. Furthermore, once the system becomes infected, the parasite starts sending bogus messages to all the contacts in the victim’s buddy list.
As you can see, seasonal threats do not differ from regular parasites. Although it is Christmas, malicious worms still bring a lot of troubles. Virus makers do not want to be good to people even on holiday. So, don’t take any gifts from Santa IM, don’t click on its Christmas-themed messages. It is a Bad Santa.