The W32/Sdbot-ADD worm infecting some users of AOL Instant Messenger is more dangerous than previously thought, according to Facetime Security Labs, the researchers who originally discovered the worm last month.
The rootkit installed by the worm, lockx.exe, is allowing systems to be further compromised by a group of attackers based in the Middle East, Facetime said. The attackers are installing additional malicious code capable of stealing personal information, according to the group.
At least tens of thousands of systems appear to be infected, Facetime said. The company's president and chief executive, Kailash Ambwani, said that the network of infected machines could, like other large botnets, be used to carry out denial of service attacks against particular websites.
"We have delivered detailed research information to the US federal authorities and are fully cooperating with their efforts," Ambwani said in a statement.
The worm attacks via AIM, asking users to open a link, apparently at the request of one of the user's "buddies" or contacts. Clicking on this the initiates infection sequence, which starts with the dropping of a number of adware files, and the rootkit software itself, lockx.exe.
Once on the PC, the malware attempts to shut down anti-virus software, install software that allows the PC to be remotely controlled by IRC, and open a backdoor for future attack. It also contains an SMTP engine with which to collect email addresses.
Facetime's newer research has found that lockx.exe is being actively used as a backdoor to install additional malware on systems. The additional malware can steal usernames, passwords and other information, and can be controlled via the IRC messaging system, Facetime said.
One of the files installed via lockx.exe, called ster.exe, specifically allows attackers to upload, download and monitor the infected PC, said Facetime. Other files allow theft of Outlook Express passwords, keystroke logging and launching additional attacks on Web sites or networks.
A group in the Middle East appears to be behind the additional malware, according to Facetime. The group has compromised servers in various countries around the world to distribute the new malware.
Facetime has published an online scanning tool that can detect and disable lockx.exe, the company said.