FaceTime Security Labs, which rates the worm as "high risk," warned that one of these commands has the ability to control the AIM client on the infected host and send a message containing links to the AIM buddy list. When recipients click on the link they become infected with new variants of the IRC enabled malware along with an installation executable "creame.exe" which delivers multiple adware payloads including Zango and 180 solutions.
All users who have been infected by the 'lockx.exe" or "palsp.exe" or its variants are at most risk.
This worm sends one of the following messages to buddies on the AIM contact list of the infected machine:
(1) "great picture :) http://www.picteurestrail.net/Mastermon/XXXXXX.JPG"
(2) "not a right time to take a picture haa :-) http://www.picteurestrail.net/Mastermon/XXXXXX.JPG"
(3) "not a right time to take a picture haa :-) http://www.pictrail.net/Matelord/XXXXXX.JPG"
(4) "not a right time to take a picture haa :-) http://www.picstrailx.net/Mateslord/XXXXXX.JPG"
The detection of this latest AIM worm follows the discovery last November that the AIM RootKit worm was tied to the worldwide bot network controlled by a hacking group in the Middle East.
Chris Boyd, security research manager for Facetime Communications, warned that next generation versions of this type of IM malware were rapidly becoming more dangerous and malicious.