The list of chat clients being exploited by this malware includes Facebook Chat, Skype, GTalk, Pidgin, MSN Messenger, Yahoo! Instant Messenger, and even ICQ.
The attack starts off with the user being presented with a chat window from an unknown contact containing a link to an “interesting” video, which is a common tactic used in Facebook scams.
Should the user make the mistake of following the link, the malware will be downloaded and installed on their machine [presumably via drive-by-download]. The malware is usually delivered in a file named Picturexx.JPG_www.facebook.com.
Once the malware has successfully infected a machine, it makes itself feel at home by:
- Bypassing the firewall directly with netsh using the command line “netsh firewall allowed program” and/or modifying the firewall policy & making a registry modification to add itself as an allowed program
- Editing the Windows registry to ensure it runs whenever the system is turned on or restarted
- Checking for anti-malware programs such as Microsoft Security Essentials, Kaspersky Antivirus, ESET Smart Security (or NOD32 Antirvirus), Avira Antivirus, and Windows Defender so it can disable them
- Changing the start page for Internet Explorer and modifying the preference files for Google Chrome and Mozilla Firefox
As if that weren’t bad enough, the bot malware receives commands from a remote attacker and begins pumping out malicious chat messages to others in order to collect more victims.
There is a light at the end of the tunnel, though. McAfee says that removing this malware from your system is relatively easy.
“We kill the running instances of this process using Process Explorer or Task Manager.” Niranjan Jayanand explained in a McAfee blog post on Wednesday, “The start-up entry made by the malware must be cleared as well to avoid its reloading after rebooting.”
To avoid having their computer recruited by the botnet malware, McAfee advises users to avoid clicking links from unknown sources and keeping their anti-malware/antivirus software up-to-date.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.