Santa Claus worm strikes IM clients

The Santa Claus worm doesn't care whether you've been naughty or nice, but it's making a list of PCs to infect this holiday season, according to a threat alert released by security firm IMlogic on Tuesday.

A new instant messaging worm called IM.GiftCom.All is making the rounds this holiday season. Rated as a "medium" threat by IMlogic, the worm attempts to get users of the instant-messaging networks run by AOL, Yahoo and Microsoft to visit a seemingly festive Web site featuring Santa Claus.

The message comes from someone already present on a user's "buddy list," said Art Gilliland, vice president of products for IMlogic. It contains a supposed link to a URL starting with "santaclause.aol.com/....."

However, clicking on that link takes users to a different Web site and triggers the download of a malicious file to a user's PC, Gilliland said. That file is created using rootkit techniques, making it extremely difficult to detect with conventional antivirus or operating system tools, he said. Once resident on a system, the file tries to shut down anti-virus software and collects personal information that can be redistributed over the Internet.

IMlogic has not recorded an instance where that personal information was actually sent out to the Internet, but the program does log information, Gilliland said.

Users are advised to avoid clicking on anything sent through an IM system unless they have verified that the file or picture is legitimate and the sender intended to pass it along, Gilliland said. IMlogic recently identified an IM bot that produces canned assurances that a file is legitimate when the recipient replies to check its authenticity, so it's important to take extra care to verify the sender's intentions, he said.

The IDG News Service is a Network World affiliate.