New AIM Worm Making the Rounds

A new worm has surfaced affecting the AOL Instant Messenger network, security firm FaceTime reported this week. The malware, known as W32.pipeline, disguises itself as a JPEG image to deliver a Trojan horse onto a PC when executed.

The Trojan, image18.com, places an executable named csts.exe in the user's System32 folder. It arrives as a link over AIM from another infected individual. According to FaceTime, this file can be used in a number of scenarios, which enable the perpetrators to shift around executables and modify their attack.

In instances seen by FaceTime, the Trojan downloads other randomly named executables, creates unwanted services, and opens up port 25 so a computer can be used to relay spam. It is also possible a machine will end up installing a rootkit.

"At this point, the infected PC is a Botnet drone and can be commanded to send new infection messages via AIM such as: "hey is it alright if i put this picture of you on my egallery album? ", which will download the image22.com file (again, disguised as a jpeg)," FaceTime says.

Then, the cycle begins again and an infected machine attempts to infect others over AIM. FaceTime did not say how widely the attack was being carried out, but expressed concern about its amorphous nature. Even if a user receives a file out of order, the machine can be infected by all of the malicious files.

"Previous Instant Messaging attacks have tended to focus on the damage done by the files, with little thought on the method of delivery, save for the quickest way to get those files onto a PC. Here, the thrill for the bad guys seems to be in lining up as many of these "install chains" as possible," the company noted.

"We think this particular group have many more executable files ready and waiting to go live, so where this one will end up is anyone's guess."