According to Bogdan Botezatu, a senior communications specialist with BitDefender, a component within the worm – which propagates via Windows Live Messenger using rogue URLs – routes users to a trojan-dropping website.
What is interesting about the malware is that, as well as blocking access to several security-related websites – a technique also used early variants of Zeus – the IM worm reportedly hijacks direct routes to online banking web portals and re-routes them to fake sites set up by the hackers.
As if all of this wasn't enough, Botezati reports that the malware performs click fraud on the user, generating clicks to revenue-producing banner ads from a hidden browser window.
Whilst executing for the first time, the malware disables "an incredible assortment of processes associated with antimalware products or with digital forensics software."
"Despite the fact that the trojan does not have any rootkit component to allow total termination of the self-protection mechanisms set in place by antimalware solutions, the trojan actually succeeds in compromising some of their processes or crippling others' interaction with the user", says Botezati in his latest security blog.
One interesting technique to prolong its infection on a user's PC involves creating an svchost.exe process and then suspending its operation, as well as modifying the entry point of the process to automatically launch its code.
This is, says Botezati, "a common practice in the malware creation industry, which ensures that any user trying to see what happens in the process list won't be able to detect the in-memory malicious code."
"Moreover, as the trojan cripples any malware analysis tools (including access to the Windows Registry Editor and the Task Manager), chances are that you won't be able to terminate it", he notes.