AV-killing worm spreads via Facebook chat and IM clients

A rather industrious piece of malware that – among other things – paves the way for other malware by disabling AV solutions and software update modules has been spotted spreading via several Instant Messaging applications (ICQ, Skype, GTalk, Pidgin, MSN, YIM) and Facebook:

The victims receive a message from an unknown user, offering a link to a funny or interesting video. If they follow it, the malware in question downloads automatically from the linked site and is executed.

The worm is capable to do many unwelcome things on the victims’s computer:

  • It can bypass any existing firewall by marking itself as an allowed program
  • It drops copies of itself into a number of folders and hides them
  • It creates a run entry that will make it start every time a machine reboots
  • It searches the computer for AV solutions, Windows and Yahoo Update modules, then tries to disable them
  • It changes IE’s start page and modifies Firefox’ and Chrome’s preference file
  • It receives commands from a remote attacker, which instructs it to enumerate instant messenger windows in the victim’s machine and post the message that promises an interesting video in order to spread itself further, or posts the same message in a Facebook chat after having sent a chat request on Facebook’s chat window.

But, as McAfee researchers point out, the worm is easy to remove.

“We kill the running instances of this process using Process Explorer or Task Manager,” they shared. “The start-up entry made by the malware must be cleared as well to avoid its reloading after rebooting.”

Users can protect themselves from this and other threats by not following links posted by unknown online “friends” or known contacts without checking whether they meant to do so or were the unsuspecting victims of this or similar malware.

Don't miss