STEAM-CIRT Summary and Trends for April, 2006

1 During the month of April, the STEAM-CIRT logged the resurgence of an instant messaging Trojan known as “IM.GiftCom.All”, aka “Santa Worm”.  The variant of this worm invites its victims to click on a link that says “is it okay if I post these pictures on facebook?”, instead of pictures however, the user receives a payload which contains a rootkit, keystroke logger, and a remote control component (IRC bot).  It is the STEAM-CIRT's opinion that this IM Trojan Horse is especially enticing to students, due to the wide-spread use of Facebook on campus and their lack of awareness regarding instant messaging-propagating malware (71 users were affected within a 7 day period ).   

In spite of this, email-based viruses continue to decline according to Mailhub anti-virus filtering.  This can be attributed to a variety of factors including lack of new email-based malware, better detection capabilities, and user awareness.  

Also, it should be noted that a new worm was discovered by our peers at the University of Minnesota near the end of April.  This virus, called “Nugache” by anti-virus vendors, propagates via AOL Instant Messenger (like the aforementioned “Santa Worm”) and is unique in that it is using some encrypted or obfuscated peer-to-peer protocol as a Command and Control mechanism.   It should be noted that this worm was detected on the Purdue University campus network, but that few hosts were affected and little has been seen from the worm since it was discovered.

As a follow-up to our March summary, the STEAM-CIRT has obtained approval to institute a block of tcp port 6000, which is assigned as an X11 communications port.  This block is anticipated to go into effect on May 30th, 2006.  It is the STEAM-CIRT's hope that this will reduce the number of X11 snooping attacks on Purdue users while we continue to educate them about the secure use of X11 servers.

Finally, STEAM-CIRT expects the number of reported IT Incidents to dramatically decrease early in the Month of May due to the end of the Spring 2006 academic semester, because the ResNet is a large contributor to IT Incidents and the majority of ResNet users will not be on campus for the summer.

Posted by Matthew Wirges on May 16, 2006, in Handlers Log.

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2016 Purdue University | An equal access/equal opportunity university | Integrity Statement | Copyright Complaints | Maintained by ITaP

Trouble with this page? Disability-related accessibility issue? Please contact ITaP at

PDF files can be viewed in Adobe Acrobat Reader.