My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Santa IM Worm

Myantispyware team December 23, 2005 No Comment

A new worm posing as a come-on to a Santa Claus site is traveling across all the major instant messaging networks, a security firm warned Tuesday, and when recipients visit the bogus site, they’re infected with a file hidden from sight by a rootkit. IMlogic said that the worm, dubbed “M.GiftCom.All,” is circulating on the MSN, AOL, ICQ, and Yahoo instant messaging services, is a “Medium” threat, a relatively rare classification for the Waltham, Mass.-based company. Most IM worms and Trojans listed on its Threat Center receive only a “Low” classification. Like virtually all IM worms, M.GiftCom.All includes a URL in messages it spams out to contacts hijacked from previously-infected PCs. When users naively visit that site — which is billed as a harmless Santa site — a file is automatically downloaded to their computers. The file, usually named “gift.com” includes rootkit elements that cloaks it from security software. In addition, the downloaded executable tries to disable a number of anti-virus programs, adds a keylogger to the system to capture confidential information, and then spreads to others by snatching names from the user’s IM client contact list

Description: This worm broadcasts a URL out over IM clients which downloads an executable file, often named gift.com. When this file is executed, it hides itself and scans the registry, file system, and internet cache. By operating as a rootkit, the process is hidden from all tools and anti-virus software. It also attempts to shut down anti-virus software and makes several networking calls. Also it does keystroke logging and may attempt to propagate itself over IM client.

After examine the malware , found that 69.56.129.67 is hosting it. When executed, gift.com resolves smtp.girlsontheblock.com to 38.118.133.241 and attempts connections to tcp/53, gift.com renames itself to c:\windows\winrpc.exe, and sets itself up as the service “Windows RPC Services”. There is no rootkit built in, it is totally dependant on download instructions from the command and control site. Rather than calling it a “worm” as was reported in the press, a more accurate description is that it’s a bot with replicating capabilities.

by sansblog

Worms

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Santa IM Worm

Leave a Reply Cancel reply

New Guides

.Devos file extension. Remove virus. Restore .[qq1935@mail.fr].Devos files.

How to remove Forms Wizard (Virus removal guide)

How to remove Search.formswizardtab.com [Chrome, Firefox, IE, Edge]

How to remove Sawhitpew.site pop-ups (Virus removal guide)

How to remove Oakpyxyea.com pop-ups (Virus removal guide)

Follow US

Search

Useful Guides

How To Recover Encrypted Files (Ransomware file recovery)

How to reset Google Chrome settings to default

AdwCleaner – Review, How to use, Comments

How to reset Mozilla Firefox (Updated Apr. 2018)

This setting is enforced by your administrator (Removal guide)

Recent Posts

Symantec AV RAR library vulnerability

Panda Antivirus for Linux

CCleaner (Crap Cleaner) is a freeware system optimization and privacy tool

AD-Aware Update 19.12.2005

How to remove Needupdate (securityerrors) hijacker (uninstall)

MYANTISPYWARE.COM

NEED A HELP ?

Links