Press Release

New IM Worm Targets AIM Users to Deliver Adware Payload

FOSTER CITY, CALIF - January 6, 2006 - Research experts at FaceTime Security Labs™, the threat research division of FaceTime Communications, identified and reported a new threat today affecting AOL Instant Messenger (AIM) applications. The new worm targets PC hosts infected with lockx.exe or palsp.exe and utilizes IRC enabled malware to connect the host to a server for further infection through a series of commands. One of the commands has the ability to control the AIM client on the infected host and send a message containing links to the AIM buddy list. When recipients click on the link they become infected with new variants of the IRC enabled malware along with an installation executable "creame.exe" which delivers multiple adware payloads including Zango and 180 solutions.

Who is affected: All users who have been infected by the 'lockx.exe" or "palsp.exe" or its variants are at most risk. Users can initiate a free online scan which can detect and disable files such as lockx.exe by visiting: www.facetime.com.

Threat Type: Worm

Risk Level: High

Additional Information:

This worm sends one of the following messages to buddies on the AIM contact list of the infected machine:

"great picture :) http://www.picteurestrail.net/Mastermon/XXXXXX.JPG", or
"not a right time to take a picture haa :-) http://www.picteurestrail.net/Mastermon/XXXXXX.JPG"
"not a right time to take a picture haa :-) http://www.pictrail.net/Matelord/XXXXXX.JPG"
"not a right time to take a picture haa :-) http://www.picstrailx.net/Mateslord/XXXXXX.JPG"

This past November, FaceTime security researchers discovered how the AIM RootKit worm was tied to the worldwide Bot network controlled by a hacking group in the Middle East.

FaceTime Customers Can Prevent This Threat

FaceTime Enterprise Edition and IMAuditor customers can proactively block these malicious threats and prevent infections before they happen by blocking downloads of the specific executable files associated with the threat. FaceTime also recommends activating the Day Zero Defense System within IMAuditor 6.5. The system utilizes anomaly detection techniques to analyze multiple characteristics of IM-borne worms and other malicious code against normal behavior, and provides patent-pending protection against these threats without the need for traditional security signatures. FaceTime RTGuardian customers are automatically protected if they have auto update features enabled. FaceTime's X-Cleaner customers (formerly XBlock) should download the latest update and scan their PC to detect and remove lockx.exe files.

About FaceTime Communications
FaceTime Communications enables the safe and productive use of instant messaging, Web usage and Unified Communications platforms. Ranked number one by IDC for four consecutive years, FaceTime's award-winning solutions are used by more than 900 customers – including nine of the 10 largest U.S. banks – for security, management and compliance of real-time communications. FaceTime supports or has strategic partnerships with all leading public and enterprise IM network providers, including AOL, Google, Microsoft, Yahoo!, Skype, IBM and Jabber.

FaceTime is headquartered in Belmont, California. For more information visit http://www.facetime.com or call 888-349-FACE. The FaceForward blog, at http://blog.facetime.com, offers thoughts and opinions about the changing nature of Internet communications.

PR Contact:

Joshua Barnes
A&R Edelman
650-762-2865
joshua.barnes@ar-edelman.com