Pipeline Worm Floods AIM with Botnet Drones

For removal, X-Cleaner.

A new worm is crawling through AIM – using a sophisticated network of “chain” installs, the bad guys can start the process of infection with any of the files and still hit you with the rest. Or they can target you with a certain selection of files depending on what they want you to do as part of their Botnet. Its like a 10-hit Tekken combo, one that you are on the receiving end. Start with an innocent message like, “hey would it be ok if i upload this picture of you to my blog?”, which, upon clicking, starts you off be plabing you in their botnet where they can pretty much do whatever they want to with you.

They can get you many different ways, but here are three they detailed on their blog, all which start with the downloading of the image18.com file (disguised as a jpeg). Running the file results in csts.exe being created in your system32 Folder:

1) Running the file results in csts.exe being created in your system32 Folder. At this point, you may well be part of a Botnet (though not in all cases) and the infection has the potential to call down new files onto your PC, which are randomly selected from the numerous files waiting in “storage” that have been spread around the Net.

2) The infection has the potential to call numerous other files, such as files with fixed, unchanging names and randomly named executables which are constantly being updated. Depending on what files you end up with, the infection may create an unwanted service named RPCDB, opens up smtp port 25 (mail) and attempts to connect to a file upload site. In addition, some files attempt to exploit ADS (alternate data streams).

3) The infection has the potential to call numerous other files, such as d227_seven2.exe and randomly named executables which are constantly being updated. Depending on what files you end up with, the infection may create an unwanted service named RPCDB, opens up smtp port 25 (mail) and attempts to connect to a file upload site. In addition, some files attempt to exploit ADS (alternate data streams). You will also potentially end up with a Rootkit on your PC as a result of this particular scenario.

At this point, the infected PC is a Botnet drone and can be commanded to send new infection messages via AIM such as:

“hey is it alright if i put this picture of you on my egallery album? “, which will download the image22.com file (again, disguised as a jpeg).

At this point, the cycle begins again and they can look to infect fresh victims with this exploit.

X-Cleaner will remove w32.pipeline from your computer.

read more | digg story

I also blogged about this at Realtechnews.com.