Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Security The Internet

Santa IM Worm Hits AOL, MSN and Yahoo 149

elmtree95 writes "CNET News reports A Santa Claus worm is attempting to trick America Online, Microsoft MSN and Yahoo instant-messaging users into clicking on a file that delivers unwanted software to a victim's computer. The IM.GiftCom.All worm attempts to dupe IM users into thinking an acquaintance has sent them a link to a harmless Santa Claus file. IM security vendor ELMTree Software has released a patch to their ChatPatrol ( product to address this issue."
This discussion has been archived. No new comments can be posted.

Santa IM Worm Hits AOL, MSN and Yahoo

Comments Filter:
  • by Anonymous Coward on Thursday December 22, 2005 @12:59AM (#14315069)
    "lol, it's not a virus."
  • Oh boy! A Bonzi Buddy! Just what I wanted. Thank you, Santa.
  • Gee, first post.

    As a Mac user I feel really lonely.
  • by Anonymous Coward on Thursday December 22, 2005 @01:01AM (#14315081)
    elmtree95 writes.... IM security vendor ELMTree Software has released a patch to their ChatPatrol

    'nuff said
    • "IM security vendor ELMTree Software has released a patch"

      ... and we all hope (in reverend silence) that they havent released the Santa Claus worm itself also
    • by Anonymous Coward
      What makes you think it was free? It's hard to escape the conclusion that slashdot has been running paid slashvertisements for years, indeed some editors hardly seem to approve any other kind of story.

      In addition there are pagerank spammers like **BeatlesBeatles that appear so frequently despite user outcry that backhanders are again the only logical reason.

      Slashdot : Press releases for gullible nerds, stuff that makes us money
    • I have never seen such shameless product promotion to this date on slashdot.

      I suggest Slashdot to revoke that user account. I know it can't be deleted, just change suckers password.
  • by Anonymous Coward on Thursday December 22, 2005 @01:03AM (#14315086)
    Please, please don't bring me any gifts. The bicycle you fired at me last year from your bicycle gun really tore up my insides.

    -- AIM user
  • How does it work? (Score:4, Interesting)

    by the_humeister ( 922869 ) on Thursday December 22, 2005 @01:03AM (#14315088)
    Since the user has to click on a link, I assume the browser type matters?
    • Re:How does it work? (Score:3, Informative)

      by setirw ( 854029 )
      Not necessarily. It could be linked to an EXE or PIF, which a naïve user would open. If the target ignores all browsers' warnings about harmful EXEs, in combination with Windows's hiding of file extensions... (somefile).jpg .exe is something I've seen many times. By the way: Does IE prompt that PIF/BAT files are potentially dangerous when downloading? How about VB scripts?
      • Re:How does it work? (Score:3, Informative)

        by Anonymous Coward
        It's a '.com' (like file being distributed. User clicks accept to start the file transfer. On completion, the IM client turns the filename into a clickable link which, if clicked, starts the malicious component.
    • If you remember the other big IM worm a few weeks (months?) ago, browser didn't matter. Just user stupidity. So, as I said then, tell your friends and family to NOT CLICK LINKS! Unless of course, whomever im'ed them can repeat a phrase, such as "I AM a bot, you stupid fool!!!" Security at its finest.
  • by setirw ( 854029 ) on Thursday December 22, 2005 @01:03AM (#14315091) Homepage
    better !pout !cry
    better watchout
    lpr why
    santa claus town
    cat /etc/passwd >list
    ncheck list
    ncheck list
    cat list | grep naughty >nogiftlist
    cat list | grep nice >giftlist
    santa claus town
    who | grep sleeping
    who | grep awake
    who | egrep 'bad|good'
    for (goodness sake) {
    be good

    Dang, I guess he really meant the last three lines!!
  • Ho ho ho. (Score:2, Funny)

    by mctk ( 840035 )
    Harmless Santa Claus file? More like insubordinate Claus file.
    • Sad, no American Public School grad will catch that joke...
      • You were funny until your American grammar sucked.

        American (might be capital, but I graduated from one so I am not sure)

        public school

        We don't capitalize our public schools because they are not a proper noun unless we use the proper name for the school, but good shot!

        Try again next time.
  • It's a /. story... (Score:4, Insightful)

    by Trailer Trash ( 60756 ) on Thursday December 22, 2005 @01:04AM (#14315095) Homepage
    And an advertisement, all in one convenient package!
  • HO HO HO! Merrrrrrrrrry Christmas!

    (Finally, a reason for me to say that!)
  • Anyone who catches this is at fault.

    what happens is you get an IM message with a link. if you click it, it's your fault when it downloads.

    When it downloads it is still just nothing but a file on your disk. If you accidentally click it you have a chance not to run it. Second luck, if you like.

    If you then open that file and become infected, it is your own fault.

    It is like being warned two times not to put your tongue on a 110v wire chasss. If you still do it you have nobody else to blame.

    As they say, take the
    • by mattmacf ( 901678 )
      taking the warnings off doesnt help when a worm installed across several thousand idiots starts DOSsing a site im trying to get to. licking a 110v wire shouldnt knock my power out.

      regardless, it looks like just another silly aim worm (albeit with a festive holiday flair).

    • "A Santa Claus worm is attempting to trick America Online, Microsoft MSN and Yahoo instant-messaging users..."

      Which would be about as hard as falling off a bucket.

    • ...and that's why it's usually my girlfriend's sorority sisters who need help fixing these fucking things.
    • I agree totally. Everyone in my family has been warned about not clicking on links in IM, and openening Email attachments, and .......................

      Yet they don't think it is their fault when they get a virus/worm/spyware.

      Unlike the ignorant Linux fanboys on /., I do not think it is their fault just for using Windows, but they need to be somewhat responsible. The sad part is, even after 10 years of Windows problems, I still have family that insist they don't need security updates, firewall, and the like
  • Nice plug. (Score:1, Redundant)

    by chundo ( 587998 )
    elmtree95 writes...


    IM security vendor ELMTree Software has released a patch to their ChatPatrol ( product to address this issue.

    Nice. Nothing like free PR!
  • Bad information (Score:1, Insightful)

    by sloanster ( 213766 )
    The article says that "it delivers unwanted software to a victim's computer"...

    Um, no. It delivers unwanted software only to hapless users of microsoft OSes. Those running OSX, Linux, BSD etc are completely unaffected.
    • by Afecks ( 899057 ) on Thursday December 22, 2005 @01:14AM (#14315129)
      It delivers it to anyone... it only works on Windows.

      Sorry but if you want to nitpick, be prepared to receive the same.
    • Are you sure the "unwanted software" doesn't run with Wine?

      While technically you may be correct, you're still a troll for trying to bash Microsoft on this.
    • by Psykosys ( 667390 )
      Because most people use Windows and it's therefore targeted to that platform. Seriously though, why does every new IM worm end up on /.? There's nothing remotely new about this, people have used far more clever names to package worms than "Santa" in the past, and the worm itself possesses absolutely no new features of interest.
  • With all the publicity that this sort of infection has gotten over the last two years, anyone stupid enough to click on the link deserves what they get. Merry farfing Christmas.
    • Unfortunately for your analysis, people die, and new people are born every day. There's always new people using computers, uninformed of the risks, not knowing there -is- a risk. That's hardly their fault.
  • by queenb**ch ( 446380 ) on Thursday December 22, 2005 @01:10AM (#14315117) Homepage Journal
    Maybe we can push the Sony root kit out via IM to all of Sony's employees. Anyone know if they have a corporate IM server?

    2 cents,

    Queen B

  • These tricks are a few of many that spammers and scammers are resolting to in order to install malware on peoples computers. Santa Clause, how ironic seeing as its the holiday season and people are susceptible.

    Microsoft provides this URL for users to immediately get rid of the latest Malware: Remove Malware []

  • Watch out! (Score:3, Funny)

    by techno-vampire ( 666512 ) on Thursday December 22, 2005 @01:21AM (#14315159) Homepage
    Oh, you better watch out,
    You better not cry,
    You better not chat,
    I'm telling you why:
    Santa Worm is coming to town!
  • ChatPatrol (Score:1, Interesting)

    by Anonymous Coward
    So... can I get the source to this blatant ripoff of gaim?

    Elmtree must be the stupidest company I've seen. They rip off gaim, and then write a post to slashdot: the place where the users are most likely to call them on their infringement!
    • Re:ChatPatrol (Score:4, Informative)

      by Anonymous Coward on Thursday December 22, 2005 @02:36AM (#14315403)
      It's not even a ripoff of Gaim, it's just a lousy non-free, non-Free, Windows-only plugin for the commercial IM clients, being hawked using an account which is employed for that purpose only. elmtree95's one and only /. post [].

      Does it install a clue for users silly enough to download and run executables being pushed by anonymous strangers?

      "IM security vendor." How pathetic.

      Editors, please don't put spam stories like this on the site. That's all it is.

    • Re:ChatPatrol (Score:2, Flamebait)

      by PitaBred ( 632671 )
      Or perhaps you're simply stupid yourself, and unable to understand the brief verbage on their site.
      That screensot? That just shows that they work with Gaim []. It's an IM security/encryption program that runs transparently basically as a proxy from what I can tell. They don't have an IM client themselves.
      Oh, wait... write first, comprehend later. I'm the first to get on someone ripping off open source, but this ain't one of those times, and all it would have taken was using your brain before you typed to
    • You've got to admit,'s kinda goofy for them to show gaim on their front page, when there are already several very good encryption plugins for it already.
  • Probably don't want no wino Santa at my house anyhow. I'll stuff my own stockings, thanks.
  • Don't click on links in strange IMs!!!

    Does anyone listen? No. You know who gets these things? Sad and lonely people, and at this time of year, they are especially vulnerable.

    • Don't click on links in strange IMs!!!

      That sounds an awful lot like "Don't open strange email attachments!!!" I do both and I have no problems. My secret?

      Keep a recent backup and use a more secure OS. (Thanks to that second bit, I've never needed the first.)
    • You know, oddly enough, I have sent links to executables, and transferred executables to friends. I don't always provide a lengthy explanation as to what it is either. How can you really define "strange", especially to people who don't have a built-in scam detector?
    • Well, why the fsck should clicking on a something fsck your whole system?
      • Yeah! And why should pressing down the accelerator in my car make me crash into stuff?
        • You don't understand - on a Unix system (Solaris, MacIntosh, Linux etc.) running a malicious program will only affect that user. The other users and the system itself will still be fine. On MS systems, the whole friggen system blows up. That is just stupid.
          • running a malicious program will only affect that user. The other users and the system itself will still be fine.

            int main() {
                  while (1) { fork(); }
                  return 0;

            affects everyone on pretty much all systems.
            • bah humbug

              #include <unistd.h>
  • I can't believe there's an article on /. that mentions Yahoo, MSN, and AOL, but not Google. They must feel so left out.

    Did someone finally impose a Google limit on /.?

  • He who does not have anti-virus software nor the common sense not to click on the link nor the common sense not to run the file deserves what's coming to them.

    This really isn't any different from the morons who message random people telling them to download sub 7.
  • by ShyGuy91284 ( 701108 ) on Thursday December 22, 2005 @02:03AM (#14315293)
    The thought crossed my mind that the "delivers unwanted software" hyperlink would be a hotlink to the virus. I know if I were sadistic enough I would have done it in samzenpus's place.....
  • This doesn't bode well. I think AOLers are just now getting up to speed on the "good times" virus.
  • by trance9 ( 10504 ) on Thursday December 22, 2005 @02:18AM (#14315342) Homepage Journal
    So is slashdot running paid stories now? How much to I have to pay to have a story of my choice run and mention my company like this?
  • Please read this post regarding IM Logic: s&file=article&sid=3135 [] "If you have been looking for more details on the IM.GiftCom.All threat, you won't find them. Why, you ask? Two reasons, first, IM Logic didn't release any and second, you are most likely not an IM Logic customer. IM Logic withholds details of Santa Claus worm, unless you're a customer IM Logic withholds details of Santa Claus worm, unless you're a customer On Dec. 19th IM Logic re
  • The Santa worm is the latest tactic to be used on IM networks. Past tricks have included offers of movie clips to the latest release of "Star Wars" that instead led to an infected computer.

    Yes that should definitely fool the 3 people who still haven't watched the movie into clicking on the link...

    [Friend_1] Hey d0od check out this clip of the latest Star Wars...
    [Friend_2] No thx just send me the .torrent...
  • They must already have your paypal account info, your Bank of America info, and your social. The words, "your account has been restricted," = we're fishing for your info. Seriously, since the days of Prodigy, people have been trying to steal your info. If you are dumb enough to fall for this, you deserve it. And my email account is still through AOL. I just saw a commercial that AOL supposedly protects against this crime. Why do I get get 10 emails a day that my account has been restricted? Because I all
  • Believe me. People WILL click the link. They always do.
    There always is one stupid person who starts it all.

    i call for a "You Must be this smart to use the internet" Logo whenver you use the internet! :P

    and on that note, cue the jingles....
  • This linux screensaver virus was only posted a little while ago [].

    It just gets worse and worse *g*

    Silent delivery of Linux to the desktop, I think it's the way forward!

    PS. No I didn't RTFA

  • Man, these people are so dumb. I asked first if it was a virus and my friend told me "lol, no its not a virus" and I just *knew* I was safe. Always ask first! ;-)
  • There are legit ways to advertise on slashdot.

    Check []

    It will also prevent hundreds of security professionals, system admins reading slashdot to hunt you down if you coded the lame worm or not.

    I know you can call it paranoia but submitting a worm story to slashdot promoting your product can make people wonder how far you would go.

    Also people concerned about that worm: Update your virus databases and get latest security patches for your OS and IM Application.

I owe the public nothing. -- J.P. Morgan