New IM Worm Targets AIM Users to Deliver Adware Payload

FOSTER CITY, Calif., Jan. 6 /PRNewswire/ -- Research experts at
FaceTime Security Labs(TM), the threat research division of FaceTime
Communications, identified and reported a new threat today affecting
AOL Instant Messenger (AIM) applications. The new worm targets PC
hosts infected with lockx.exe or palsp.exe and utilizes IRC enabled
malware to connect the host to a server for further infection through
a series of commands. One of the commands has the ability to control
the AIM client on the infected host and send a message containing
links to the AIM buddy list. When recipients click on the link they
become infected with new variants of the IRC enabled malware along
with an installation executable "creame.exe" which delivers multiple
adware payloads including Zango and 180 solutions.

Who is affected: All users who have been infected by the 'lockx.exe"
or "palsp.exe" or its variants are at most risk. Users can initiate a
free online scan which can detect and disable files such as lockx.exe
by visiting: www.facetime.com.

Threat Type: Worm

Risk Level: High

Additional Information:

This worm sends one of the following messages to buddies on the AIM
contact list of the infected machine:

(1) "great picture :) http://www.picteurestrail.net/Mastermon/XXXXXX.JPG"

(2) "not a right time to take a picture haa :-)
http://www.picteurestrail.net/Mastermon/XXXXXX.JPG"

(3) "not a right time to take a picture haa :-)
http://www.pictrail.net/Matelord/XXXXXX.JPG"

(4) "not a right time to take a picture haa :-)
http://www.picstrailx.net/Mateslord/XXXXXX.JPG"

This past November, FaceTime security researchers discovered how the
AIM RootKit worm was tied to the worldwide Bot network controlled by a
hacking group in the Middle East.

FaceTime Customers Can Prevent This Threat

FaceTime Enterprise Edition and IMAuditor customers can proactively
block these malicious threats and prevent infections before they
happen by blocking downloads of the specific executable files
associated with the threat. FaceTime also recommends activating the
Day Zero Defense System within IMAuditor 6.5. The system utilizes
anomaly detection techniques to analyze multiple characteristics of
IM-borne worms and other malicious code against normal behavior, and
provides patent-pending protection against these threats without the
need for traditional security signatures. FaceTime RTGuardian
customers are automatically protected if they have auto update
features enabled. FaceTime's X-Cleaner customers (formerly XBlock)
should download the latest update and scan their PC to detect and
remove lockx.exe files.

About FaceTime Communications

Founded in 1998, FaceTime Communications is the leading provider of
security solutions for the management and control of greynet
applications such as adware/spyware, instant messaging, P2P file
sharing, web conferencing and instant voice. FaceTime Security Labs
delivers the industry's first IMPact Index, which assesses
"point-in-time" risks posed by viruses, worms and other malware
propagating through greynet applications. FaceTime's award-winning
solutions are used by over 500 customers, among them eight of the ten
largest U.S. financial institutions. FaceTime supports and has
strategic partnerships with all leading public and private IM network
providers, including AOL, Google, Microsoft, Yahoo!, IBM, Bloomberg,
Jabber and Reuters. For more information, visit www.facetime.com.

FaceTime is headquartered in Foster City, California. For more
information visit http://www.facetime.com or call 888-349-FACE. SOURCE
FaceTime Communications