As Christmas draws near, we have been on a look out for malwares taking advantage of the season, and for sure we came in contact with one.
ISC has reported that it is spreading out a message that says
“This AIM user has sent you a Greetings Card, to open it visit:
http://greetings.aol.com/index.pd?source=christmastheme?my_christmas_card.COM”
But in truth the link goes to http://{blocked}34.156/My_Christmas_Card.COM which is an AIM Worm.
So just to be on the safe side, be on the lookout for this message. Also its dropped filename is in %WINDOWS%lsass.exe, so if you notice two processes with the name lsass.exe, then you’re probably infected.
The malware has already been passed to the service team and I will update this once I get the reply for its detection.
Update (Ivan, 07 December 2005 09:18:26)
This Christmas IM Worm is now detected as WORM_AIMDES.E since CPR 2.986.04.
Update (Ivan, 08 December 2005 00:37:43)
There has also been a report received that the AIMDES.E spreads also via a another URL in a similar message:
“This AIM user has sent you a Christmas Card! To open it please visit: http://greetings.aol.com/index.pd?source=greetingscard?my_christmas_card.scr This senders personal note: Merry Christmas!”
Here is a screenshot:
The link actually goes to the malware site which is:
{blocked}.17.26/My_Christmas_Card.scr.
“This AIM user has sent you a Christmas Card! To open it please visit: http://greetings.aol.com/index.pd?source=greetingscard?my_christmas_card.scr This senders personal note: Merry Christmas!”
Here is a screenshot:
The link actually goes to the malware site which is:
{blocked}.17.26/My_Christmas_Card.scr.