Bot Under Construction

Facetime
Communications has href="http://www.facetime.com/pr/pr060918.aspx">announced
that they have seen evidence of a new Internet worm that spreads via
AOL Instant Messenger.  It comes in the guise of a picture,
that is astually an executable file.  



The user first sees an ordinarily link, but when the link is clicked,
it downloads a file called image18.com.  Details follow...

Like many IM worms, W32.pipeline first appears as an
instant message from a familiar contact, luring users into clicking on
a link with a contextual phrase. The IM message "hey would it okay if i
upload this picture of you to my blog?" downloads a command file called
image18.com, which is disguised as a JPEG. Running the file results in
csts.exe being created in the user's system32 folder, part of the
Windows operating system.



The infection has the potential to call, via the Internet Relay Chat
(IRC) channel, numerous other files that are constantly being updated.
Depending on the files downloaded, the infection may create an unwanted
service named RPCDB, open up SMTP port 25 (used for email) and attempt
to connect to a file upload site. In addition, some files attempt to
exploit ADS (alternate data streams). Users may also potentially end up
with a rootkit installed on their PC as a result of this chain of
infections.



Once the user's PC is infected and under control of the botnet, it can
be used to propagate the worm to other users using the same highly
refined contextual message, for example "hey is it alright if i put
this picture of you on my egallery album? " which will download another
command file, again disguised as a JPEG, on additional computers.

The Facetime news release does not clarify one thing.  An href="http://www.informationweek.com/story/showArticle.jhtml?articleID=193003061&cid=RSSfeed_IWK_All">article
posted on Information
Week explains that the exploit is unfinished.
 After installing itself, the worm attempts to contact serves
that have other executable files on them.  But the other files
are not yet present, so the worm does not yet do anything bad.
 The bot, so to speak, is still under construction.



Facetime points out that users can protect themselves by not clicking
on links sent over IM.  They also point out that people who
own Facetime software are protected against this threat.  They
do not  point out that Linux and Mac OS are
not vulnerable to this threat.