Users login

Create an account »


Users login

Home » Hacking News » Root-kit hits AIM users

Root-kit hits AIM users

by Nikola Strahija on October 31st, 2005 A potentially destructive new worm is targeting users of AOL’s AIM instant messaging service.

W32/Sdbot-ADD is a worm with a troubling and innovative twist – it installs a root-kit backdoor on any machine it manages to infect.

The attack starts with an AOL IM user being asked to open a link. Clicking on this starts the infection sequence, dropping of a number of adware files, and the rootkit software itself, lockx.exe.
Once on the PC, the malware attempts to shut down anti-virus software, install software that allows the PC to be remotely controlled by IRC, and open a backdoor for future attack. It also contains an SMTP engine with which to collect email addresses.

According to Chris Boyd of Facetime, the researcher who first discovered the malware, it has strange properties that mark it out. Several of the adware components it installs have been seen before, but what was innovative was the mixture of many different components, the installation of such a potentially dangerous executable, and the fact it attacks via the generally unprotected channel of instant messaging.

Facetime’s tests indicated that several anti-virus programs were not able to detect the malware. Equally, most anti-virus programs don’t monitor the IM channel, so this is not surprising. Once on a PC, the malware runs like any other unidentified executable.

Boyd described the new and dangerous W32/Sdbot-ADD malware bundle as being a low to medium risk, but one the company was publicising because of its dangerous effects. If it infected a PC, he would consider reformatting the machine from scratch, he said.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »