Matthew Broersma, Techworld.com
The W32/Sdbot-ADD worm infecting some users of AOL Instant Messenger
is more dangerous than previously thought, and more persistent than
ever in spreading, according to Facetime Security Labs, the
researchers who discovered the worm in October.
The rootkit installed by the worm, lockx.exe, is allowing systems to
be further compromised by a group of attackers based in the Middle
East, according to Facetime researchers. The attackers are installing
additional malicious code capable of stealing personal information,
according to the group.
At least tens of thousands of systems appear to be infected, Facetime
said. The company's president and chief executive, Kailash Ambwani,
said that the network of infected machines could, like other large
botnets, be used to carry out denial of service attacks against
particular Web sites.
"We have delivered detailed research information to the U.S. federal
authorities and are fully cooperating with their efforts," Ambwani
said in a statement.
Facetime has published an online scanning tool that can detect and
disable lockx.exe, the company said.
How Worm Works
The worm attacks via AIM, asking users to open a link, apparently at
the request of one of the user's "buddies" or contacts. Clicking on
this the initiates infection sequence, which starts with the dropping
of a number of adware files, and the rootkit software itself,
Once on the PC, the malware attempts to shut down antivirus software,
install software that allows the PC to be remotely controlled by IRC,
and open a backdoor for future attack. It also contains an SMTP engine
with which to collect email addresses.
Facetime's newer research has found that lockx.exe is being actively
used as a backdoor to install additional malware on systems. The
additional malware can steal usernames, passwords,and other
information, and can be controlled via the IRC messaging system,
One of the files installed via lockx.exe, called ster.exe, specifically
allows attackers to upload, download and monitor the infected PC, said
Facetime. Other files allow theft of Outlook Express passwords, keystroke
logging, and launching additional attacks on Web sites or networks.
A group in the Middle East appears to be behind the additional
malware, according to Facetime. The group has compromised servers in
various countries around the world to distribute the new malware.
Ambwani noted that the Instant Messenger progam of America Online
(AIM) should generally be regarded as dangerous because of the
'hospitality' it shows to W-32/sdbot-ADD and its rootkit 'lockx.exe'.
He recommended scans to search for and destroy this worm, as soon as
possible. As always, avoid opening attachments from strangers, and
often times even people you know will unwittingly pass it along.
Copyright 2005 PC World Communications, Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, PC World Communications.
For more information go to: