Apr 15, 2011 09:42 GMT  ·  By

Security researchers warn that a malicious component distributed by an IM worm cripples antivirus systems and blocks access to many security-related websites.

The attack begins with malicious links spammed on Windows Live Messenger leading users to rogue pages distributing the trojan dropper.

According to BitDefender's Bogdan Botezatu "the payload is presented as multiple sections of Base-16 Unicode data.

"Conversion to ANSI reveals a set of buffers split by a separator. Ignoring the separators and dumping the data reveals an encrypted file packed with UPX."

The trojan attempts to cripple antivirus programs, but not in the traditional way by using a rootkit. Instead, it closes some of the processes which makes user's interaction with the security programs impossible.

The piece of malware behaves like a DNS hijacker, in the sense that it adds many rogue entries to the Windows HOSTS file in order to block access to pages associated with antivirus vendors and other security-related resources.

Furthermore, the trojan hijacks online banking URLs and points them to spoofed websites set up by attackers for phishing purposes.

The trojan is also used for click fraud. It opens several pages riddled with ads in a hidden browser window and simulates clicks. Its creators earn anything from $0.05 to $1 per click.

The BitDefender security expert goes on to note the trojan employs common self-preservation mechanisms, such as modifying the entry point of a svchost.exe process in order to automatically launch its code.

"This is a common practice in the malware creation industry, which ensures that any user trying to see what happens in the process list won’t be able to detect the in-memory malicious code," Mr. Botezatu explains.

Seeing the process list is problematic in the first place, because the trojan disables access to the task manager. The registry editor is also prevented from running.

Users are advised to exercise caution when dealing with links received on instant messaging programs, even when they are sent by a friend. Running an up-to-date and capable antivirus program is always a must.