Spring Break
Internet worm infects through AIM
Aparna Watal
Issue date: 5/6/05 Section: Sci-Tech
- Page 1 of 1
|
It spreads a variation of the W32.Spybot.Worm through the America Online Instant Messenger program with an infection length of 28,160 bytes that quickly compromises the affected computer.
The systems potentially affected are Microsoft Windows 95, 98, ME, NT, 2000, XP and Server 2003 operating systems.
All AIM users are urged to follow general precautions and not open any links in messages or follow addresses of Web sites that are unfamiliar.
The virus is characterized 'Wild' by the Symantec Anti-Virus center and IRT advises all students and faculty to run the Live Update feature through the Symantec Antivirus protection program or from the Symantec Antivirus Center Intelligent Updater immediately.
The W32.Allim.A spreads quickly and easily among a very large number of users and hence is very dangerous.
The worm sends the following message to all the AIM contacts on a compromised computer: "Hey check out this!" Where "this!" is a link to http://adw[domain removed]eo.com/gallery/pictures.php.
When the link is followed, a file is downloaded and executed. The signature performs a string match on a portion of the body of the worm W32.Allim.A as it propagates over AIM on TCP port 5190. It then copies the W32.Spybot.Worm variant.
W32.Allim.A may open a back door. It can also use the compromised computer as a traffic relay or proxy. The worm may also attempt to terminate processes and services.
Due to the lack of any easy way to monitor the result of these actions there is no guarantee that the W32.Allim.A worm has not hidden some other time-sensitive worms set to trigger in the future.
Reformatting is the safest way to be free of the results of this worm. It is also recommended that users change their computer and AIM login passwords.
Be the first to comment on this story