The IM.GifCom.All worm shows up as an innocuous-seeming URL in a chat message screen, featuring a link to what appears to be a Santa Claus site, said IM security vendor IMlogic, which first discovered the worm Monday.
In reality, clicking on the link starts a download that embeds a rootkit
The rootkit also contains a keylogger
The malicious software also attempts to shut down the user’s antivirus software and make several networking calls, possibly a repository maintained by the malware
The worm may also try to propagate itself to the user’s buddy list.
While IMlogic rated the IM.GiftCom.All worm as a medium risk, the worm is unusual in that it targets the three major public IM networks — AIM, Yahoo IM and MSN Messenger — as well as AOL’s ICQ
According to statistics maintained by IMlogic, MSN Messenger is the most popular platform for IM-based attacks, accounting for nearly 44 percent so far in 2005. AIM is second on the list at 26.5 percent.