Links leading to a worm that eventually implants a nasty rootkit on a user's computer are popping up on America Online Inc.'s (AOL) Instant Messenger network, security researchers are reporting.
The URL (uniform resource locator) is passed through instant messages on a person's Buddy List and in AOL chat rooms, Websense Inc. reported. Some versions of the URL have been taken down, and all were hosted on personal Web pages, the company said. Users see an IM (instant message) that says "see thing!!" or "hilarious," followed by a URL.
Clicking on the link starts a known worm, W32/Sdbot-ADD, which then transmits the lockx.exe rootkit, according to an advisory posted Friday by FaceTime Communications Inc., which is based in Foster City, California. The code allows an attacker to monitor the computer and upload or download files.
It also attempts to shut down antivirus programs in addition to installing a backdoor that could be used to install more software. The lockx.exe rootkit connects to an IRC (Internet relay chat) server and waits for remote commands.
Additional annoyances include changing the home page on the Internet browser and downloading applications from vendors such as 180solutions, Zango, the Freepod Toolbar, MaxSearch, Media Gateway and SearchMiracle, FaceTime said.