A new worm posing as a come-on to a Santa Claus site is traveling across all the major instant messaging networks, a security firm warned Tuesday, and when recipients visit the bogus site, they’re infected with a file hidden from sight by a rootkit. IMlogic said that the worm, dubbed “M.GiftCom.All,” is circulating on the MSN, AOL, ICQ, and Yahoo instant messaging services, is a “Medium” threat, a relatively rare classification for the Waltham, Mass.-based company. Most IM worms and Trojans listed on its Threat Center receive only a “Low” classification. Like virtually all IM worms, M.GiftCom.All includes a URL in messages it spams out to contacts hijacked from previously-infected PCs. When users naively visit that site — which is billed as a harmless Santa site — a file is automatically downloaded to their computers. The file, usually named “gift.com” includes rootkit elements that cloaks it from security software. In addition, the downloaded executable tries to disable a number of anti-virus programs, adds a keylogger to the system to capture confidential information, and then spreads to others by snatching names from the user’s IM client contact list
Description: This worm broadcasts a URL out over IM clients which downloads an executable file, often named gift.com. When this file is executed, it hides itself and scans the registry, file system, and internet cache. By operating as a rootkit, the process is hidden from all tools and anti-virus software. It also attempts to shut down anti-virus software and makes several networking calls. Also it does keystroke logging and may attempt to propagate itself over IM client.
After examine the malware , found that 126.96.36.199 is hosting it. When executed, gift.com resolves smtp.girlsontheblock.com to 188.8.131.52 and attempts connections to tcp/53, gift.com renames itself to c:\windows\winrpc.exe, and sets itself up as the service “Windows RPC Services”. There is no rootkit built in, it is totally dependant on download instructions from the command and control site. Rather than calling it a “worm” as was reported in the press, a more accurate description is that it’s a bot with replicating capabilities.