Summary:  A variant of the "sdbot" virus has been shown to currently be active and spreading on various University computing networks (including the University at Albany). This particular variant of the virus does not currently appear to be detectable/removable via traditional means (e.g., many commercially-available anti-virus software packages). The primary vector of infection for this variant comes in the form of a malicious hyperlink that is often advertised in an AIM user's "away" message. The hyperlink uses a variable file extension (previously .scr, most recently .pif); an example of a recently-captured message appears below:

PICS FROM VALENTINES http://www.XXXXXXXXX.XXX/photos.pif :-) !!!

(link obfuscated for this example; text and link will vary in the wild)

Recommended Actions:  AIM users are strongly encouraged to NOT click on any hyperlinks that come from buddies' popup messages unless the AIM buddy can verify (when specifically asked) the nature of the link. Hyperlinks embedded in "away" messages and all links ending in .scr, .pif or other suspect extensions should NEVER be opened.

Suspected infections can be addressed via Jay Loden's "AimFix" program (Aimfix is currently being used within the University at Albany's RESNet Network). Trend Micro's "housecall" service has also reported by another institution as an effective means of detecting this variant of sdbot.

ITS Actions:  At this time, the AimFix site is being considered as an addition to the University's proxy list.

Resources:
AimFix Home page:
http://www.jayloden.com/VirusClean.htm

TrendMicro's HouseCall page: http://housecall.trendmicro.com/housecall/start_corp.asp

UAlbany (non-ALARM) alert regarding AIM-borne sdbot activity: http://www.albany.edu/its/alerts/aim_virus.html

Siena College alert for sdbot: http://www.siena.edu/antivirus/viruses/sdbot.asp