Facetime Security Company warns that the W32/Sdbot-ADD worm is rapidly spreading among users of AOL’s instant messaging service and is much more dangerous than previously thought.
First detected by Facetime in October, the W32 worm automatically installs a rootkit (file lockx.exe) deep within the hard drives of infected computers, allowing a group of hackers from… the Middle East to gain control over the systems. Once a PC falls into their hands, this group will install additional spyware, capable of stealing users’ personal information.
According to Facetime, at least tens of thousands of computers have been infected by the W32 worm. They now resemble large botnet networks, exploited by hackers to carry out denial-of-service attacks against certain websites.
The CEO of Facetime stated that the company has released a scanning tool that allows detection and deactivation of the aforementioned rootkit lockx.exe.
Destructive Mechanism of W32
The W32 worm attacks through AOL’s Instant Message, masquerading as a contact name to prompt users to open an accompanying link. Clearly, consumers are easily deceived. Just clicking on this link triggers a barrage of adware and the rootkit lockx.exe to automatically download onto the machine.
As soon as it lands on the computer, the first action the malware performs is to disable any antivirus programs while simultaneously installing software that allows hackers to control the computer remotely via IRC.
According to the latest research by Facetime, lockx.exe is very active in “opening backdoors” for hackers to install additional malware. This malware can steal usernames, passwords, and various sensitive information. The most dangerous among them is ster.exe, which allows attackers to upload, download, and closely monitor the infected computer. Other files enable them to steal Outlook Express passwords, install keylogging software, gather email addresses stored on the machine, spread spam, and launch denial-of-service attacks.
Facetime suggests that a group of hackers from the Middle East is likely behind W32. This group has targeted numerous servers in many countries around the world to spread new malware.
