The New York-based media conglomerate would not disclose the number of accounts infected by the malware, but said that its in-house instant messenging spim unit first identified the problem as the Oscarbot trojan and took action by shutting down certain accounts to stop the spread. Users whose accounts were suspended reportedly lost the entire contents of their buddy lists.
The Oscarbot, which first emerged as Doyorg, is programmed to specifically wreak havoc on AOL's AIM product and quickly spreads through buddy lists. According to eWeek, the trojan spreads through a URL embedded in the infected IM that uses the lure "Check out this" or "I thought you'd want to see this" to get the user to click through. Once the user clicks through, they are asked to run an executable file that installs the trojan.
Oscarbot can also contact a remote Internet relay chat server and log on to a specified channel and wait for further instructions from a remote user. Once installed on a computer, the malware creates a copy of itself in the Windows system folder and edits certain registry keys to ensure that it is run as a service when the system starts up.
Since the trojan was first discovered, AOL's AIM unit has been flooded with angry calls and emails from users who have had their accounts suspended and buddy lists wiped clean. AOL has requested that users whose accounts have been suspended contact the company's IM department for further instructions.
In the meantime, Graham Cluley of Sophos is urging companies to consider whether using IM is worth the risk of having corporate networks invaded.
"Fundamentally, many businesses will have to ask their staff if they really need IM for their day-to-day work, and if not, it may be more sensible to take it away," he told ComputerWorld. "We're certainly seeing more instant messaging malware being written, although they haven't yet had the same kind of impact as email-aware worms or Internet worms."
