Recently an unnamed Internet worm was found rapidly spreading through chat rooms and instant messages using AOL Instant Messenger program. This parasite varies from other AOL threats – it not only secretly installs itself to the system, but also downloads and drops numerous extremely dangerous risks including a rootkit, backdoor, another devastating worm and several spyware and adware applications like 180Solutions, MaxSearch, Zango, SearchMiracle, Freebrod and Media Gateway. Loxbot and Loxbot.b appear to be the only close look-alikes of the new risk.
Once executed, the worm installs a rootkit implemented as the lockx.exe file (this executable is used by few other similar pests) and a backdoor. These components provide the remote attacker with full unauthorized access to a compromised computer and may hide worm’s presence in the system by cloaking its running processes, files, folders and related objects. The parasite also drops another worm called Sdbot.add. This threat is designed to open a back door and therefore can duplicate the parasite’s payload. Sdbot.add propagates through unprotected network shares. And even that is not all. The parasite attempts to disable security-related programs and hijack a web browser. It also silently downloads from the Internet and installs infamous spyware and adware risks.
The worm’s spreading routine is not as standout as its payload is. The new worm appears as an instant message from a buddy with a link. This link should lead to a particular web site, image, movie or any other resource, but actually points to malicious code on the Internet. Once the user clicks on it, the worm is downloaded and installed to the system. Then it continues to propagate by sending similar messages to all AIM contacts.
Needless to say, that the worm is extremely dangerous. It is also difficult to get rid of. Even some powerful antivirus tools with the most recent updates sometimes have troubles completely removing a backdoor and rootkit from the system. Some spyware and adware components often are left intact.
The most effective way to avoid the infection is to be very careful when clicking on links in instant messages and chat conversations or do not follow them at all. Users of other messengers like Trillian, Miranda or Gaim should also be aware, as these products support the AIM protocol and can receive malicious messages from affected AIM users.