New (December) AIM Worm

[genXer]

Hello all-

Just saw this pop-up on the SANS Internet Storm Center, ISC, on news about a new AIM Worm - that supposedly uses Social Engineering.

Link: http://isc.sans.org/

Story so far:

New AIM worm
Published: 2005-12-06,
Last Updated: 2005-12-06 01:55:38 UTC by Bojan Zdrnja (Version: 2(click to highlight changes))

Malware authors just opened their own holiday season. We received couple of reports of a new AIM worm spreading.
The worm is simple and doesn't exploit any vulnerability; instead it relies on social engineering.

The user will receive the following AIM message:

"This AIM user has sent you a Greetings Card, to open it visit: http://greetings.aol.com/index.pd?so...stmas_card.COM"

Instead of going to the AOLs site, this link actually points to a different site (http://<REMOVED>.<REMOVED>.134.156/My_Christmas_Card.COM) from which the user will download the worm.
This file is a SDBot variant and at the moment the most popular AV programs detect it generically.

Thanks to Joshua!

Update: Some readers have alerted us, and we have confirmed, that there is also a variant going around that redirects to the same IP, but downloads, My_Christmas_Card.SCR. Note, that many of the AV vendors identify this as a variant of SDBot.

So the "Happy Holidays" are already starting! Woo-hoo.

[keezel]

It seems like there are always more AIM worms being spread around this time of year for some reason. I've seen several in the past couple of weeks, but very few up until then. One girl managed to catch one that brought a bag full of goodies with it, and within a week's time it had butchered her hard drive. She brought it into on-campus tech support and we ran disk check...it ran for three days. It was insane.

[rapier57]

But, AOL says they have all this neat new security stuff that takes care of the user and prevents this kind of thing. How could this possibly happen?

duh.