New AIM worm

[AMessler]

Malware authors just opened their own holiday season. We received couple of reports of a new AIM worm spreading. The worm is simple and doesn't exploit any vulnerability; instead it relies on social engineering.

The user will receive the following AIM message:

"This AIM user has sent you a Greetings Card, to open it visit: http://greetings.aol.com/index.pd?so...ristmas_card.C OM"

Instead of going to the AOLs site, this link actually points to a different site (http://<REMOVED>.<REMOVED>.134.156/My_Christmas_Card.COM) from which the user will download the worm. This file is a SDBot variant and at the moment the most popular AV programs detect it generically.



Update: There is also a variant going around that redirects to the same IP, but downloads, My_Christmas_Card.SCR. Note, that many of the AV vendors identify this as a variant of SDBot.

[0wn4g3]

Thanks for the update. I remember about 2-3 months ago various buddies on my aim buddy list would send me I'Ms with a link and if I hover over the link the end of the link would not be html it would be .com which is warning sign #1. Was SDbot the culprit earlier?