The new worm targets PC hosts infected with lockx.exe or palsp.exe and utilizes IRC enabled malware to connect the host to a server for further infection through a series of commands. One of the commands has the ability to control the AIM client on the infected host and send a message containing links to the AIM buddy list. When recipients click on the link they become infected with new variants of the IRC enabled malware along with an installation executable creame.exe which delivers multiple adware payloads including Zango and 180 solutions.
Users already infected with the files lockx.exe or palsp.exe are most at risk, but any user clicking on the wrong IM link can be infected. There’s an executable called creame.exe that delivers the adware including 180solutions and Zango. Facetime has a free online scan that detects and disable files such as lockx.exe. If you’re an AIM user and notice anything unusual, I’d say head for the free scan ASAP.
