flurry of IM worms

[Bob Bayn <Bob.Bayn () USU EDU>]

Last night and today we've been hit with a flurry of
instant messages pointing to one of a variety of
web links that end with /viewimage.php?=email () address edu
It appears that the infected machine in turn forwards
the message to its IM contact list.  Everybody here is
happy to click on a link recommended by a friend, in
spite of my "be an internet skeptic" campaign.

Is this happening to anyone else?

Bob Bayn
IT Security Team coordinator
Utah State University



here's a thread describing what we're finding about it:

===================================================
On Tue, 2008-01-29 at 14:09 -0700, TJ Hilton wrote:
> I'm working on one of the machines that clicked on the link.
>
> As of right now I've notices that the worm does the following things:
>
> 1 - Added a file called c:\windows\wkssvc.exe (this is a known root kit)
> 2 - Added a startup entry in the registry for wkssvc.exe
> (\software\microsoft\windows\CurrentVersionrun)
> 3 - Added file WKSSVC.exe-037d0802 to C:\Windows\Prefetch
> 4 - Attempted to change c:\windows\system32\drivers\etc\hosts but was
> thwarted by McAfee. (was detected as Qhosts.apd)
> 5 - Enabled all udp/tcp services on c:\windows\system32\tcpsvcs.exe and
> opened tcp & udp ports 7, 9, 13, 17, 19
> 6 - Enabled all services on c:\windows\system32\inetsrv\inetinfo.exe FTP,
> HTTP, smtp and opened ports 80, 443, and 21 ,25
> 7 - Adds file c:\windows\spooler.exe