• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Worms › Santa IM Worm

Santa IM Worm

Myantispyware team December 23, 2005     No Comment    

A new worm posing as a come-on to a Santa Claus site is traveling across all the major instant messaging networks, a security firm warned Tuesday, and when recipients visit the bogus site, they’re infected with a file hidden from sight by a rootkit. IMlogic said that the worm, dubbed “M.GiftCom.All,” is circulating on the MSN, AOL, ICQ, and Yahoo instant messaging services, is a “Medium” threat, a relatively rare classification for the Waltham, Mass.-based company. Most IM worms and Trojans listed on its Threat Center receive only a “Low” classification. Like virtually all IM worms, M.GiftCom.All includes a URL in messages it spams out to contacts hijacked from previously-infected PCs. When users naively visit that site — which is billed as a harmless Santa site — a file is automatically downloaded to their computers. The file, usually named “gift.com” includes rootkit elements that cloaks it from security software. In addition, the downloaded executable tries to disable a number of anti-virus programs, adds a keylogger to the system to capture confidential information, and then spreads to others by snatching names from the user’s IM client contact list

Description: This worm broadcasts a URL out over IM clients which downloads an executable file, often named gift.com. When this file is executed, it hides itself and scans the registry, file system, and internet cache. By operating as a rootkit, the process is hidden from all tools and anti-virus software. It also attempts to shut down anti-virus software and makes several networking calls. Also it does keystroke logging and may attempt to propagate itself over IM client.

After examine the malware , found that 69.56.129.67 is hosting it. When executed, gift.com resolves smtp.girlsontheblock.com to 38.118.133.241 and attempts connections to tcp/53, gift.com renames itself to c:\windows\winrpc.exe, and sets itself up as the service “Windows RPC Services”. There is no rootkit built in, it is totally dependant on download instructions from the command and control site. Rather than calling it a “worm” as was reported in the press, a more accurate description is that it’s a bot with replicating capabilities.

by sansblog

Worms

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply




New Guides

Rseschoosema.info
How to remove Rseschoosema.info pop-ups (Virus removal guide)
Files encrypted with .nbes extension
.Nbes file extension. Remove Nbes virus. Recover, Decrypt .nbes files.
Ticcopioidyou.info
How to remove Ticcopioidyou.info pop-ups (Virus removal guide)
unwanted ads
How to remove Premium Field app from Mac (Virus removal guide)
Usionhousine.info
How to remove Usionhousine.info pop-ups (Virus removal guide)

Follow US

Search

Useful Guides

Best free malware removal tools
Best Free Malware Removal Tools 2019
Malwarebytes won’t install, run or update – How to fix it
ads by adware
How to remove Adware from Windows 10 (Virus removal guide)
How to remove pop-up ads [Chrome, Firefox, IE, Opera, Edge]
How to reset Google Chrome settings to default

Recent Posts

Symantec AV RAR library vulnerability
Panda Antivirus for Linux
CCleaner (Crap Cleaner) is a freeware system optimization and privacy tool
AD-Aware Update 19.12.2005
How to remove Needupdate (securityerrors) hijacker (uninstall)

MYANTISPYWARE.COM

  • About Us
  • Contact Us

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2019 My AntiSpyware - Free antispyware programs and Spyware Removal Instructions.