This worm broadcasts a link out over IM clients which downloads an executable file, often named gift.com. When this file is executed, it hides itself and scans the registry, file system, and internet cache. By operating as a rootkit, the processes are hidden from most tools and anti-virus software. The malicious code also attempts to shut down anti-virus software running on the desktop and makes several networking calls. Also it does keystroke logging and may attempt to further propagate over IM clients.
Users may also be brought to a site to download a variant of the Sdbot worm which uses the IRC protocol as a method of backdoor controlling.
While payloads often link to redirection sites outside the United States, at least one instance of this threat was being hosted on an ISP in Dallas, Texas...more
worm | virus
rootkit
techweb
A type of Trojan that keeps itself, other files, registry keys and network connections hidden from detection. It runs at the lowest level of the machine and typically intercepts common API calls. For example, it can intercept requests to a file manager such as Explorer and cause it to keep certain files hidden from display, even reporting false file counts and sizes to the user.
