AOL Instant Messenger Viruses

[brella]

Second time an IM virus has hit my company. Effects large number of users. Attacks the buddly list and send bogus IM's to everyone on the list. When you click the link in the IM, the machine gets infected with viruses and / or spyware from multilple vendors. 9 times out of 10 we have had to rebuild machines to resolve the problem. if we don't rebuild machine we spend a couple hours cleaning the spyware / viruses with standard tools and some manual deletion of files.

Has anyone else had this problem? AOL IM is critical to our organization so unfortunately not possible to do without it. Looking for a way to block hyperlinks in the AOL IM clients or some other clever solution.

Thoughts, suggestions?

Thanks

 

[aquias]

What do you utilize for Antivirus/Spyware blocking/removal? Or is it possible to utilize a different IM program? Do you utilize AOL for internal communication or is it external as well?

 

[brella]

Spyware removal and blocking we are using Pest Patrol and more recently Microsoft's Antispyware. Problem with these viruses/ spyware was their ability to regenerate. To successfully remove, had to log into machine in safe mode, delete the maliscious files, run both spyware apps, as well as another program called AIMfix which removes maliscious content from the AOL instant messenger program, then run McAfee. Very time consumming process that does not always work.

AOL IM is used internally and externally. Not possible to migrate to another messaging program. AOL IM is embedded.

Is there anyway to block hyperlinks in AOL IM?

 

[Xaqte]

Just a thought, could you use this:

http://reaim.sourceforge.net/

And block all external connections?

X

 

[brella]

Xaqte - thanks, but I think this is only for direct connect issues, which we do not utilize.

 

[aquias]

AOL is embedded? What software package are you using, if you don't mind me asking.

There is no way to block IM's via the messenger. Perhaps Trillian would have some capability to block hyperlinks and it is compatable with AOL.

Beyond that, perhaps look at adding spyware blaster to some machines to block Active X controls from being launched. I'll do some more digging

 

[brella]

AOL is embedded meaning it is a critical app to our users and embedded in their day to day work. Migrating away is not an option.

We are running AOL IM 5.5 - 5.9 depending on the date of the build.

Tried Trillian in the past but it did not like our proxy.

 

[Xaqte]

How about blocking ports 5190 to 5193 on your firewall (standard ports for AOL IM)?
Since, AOL IM reverts to port 80 if the other ports aren't available... this will go to your proxy. Setup a couple of rules on your proxy and you should be good to go.

Just a thought!

X

 

[aquias]

I'm not overly familiar with AOL AIM, but, isn't there a way to block messages from unknown users (IE. Not on your buddy list?). Can't you enable this across the enterprise?

 

[brella]

Xaqte - Proxy is using port 1080. This is a little outside my knowledge so I am not sure if that helps.

Aquias - there is a way to block everyone who is not on your buddy list. The probelm is this IM is from someone on your Buddylist. The virus / spyware sends to everyone on your buddy list. That is how it propagates.

I am looking through the registry to see if there is a way to disable hyperlinks in the IM chat window. Can't find anything though. Is there a way to create a reg key that would do that? Or maybe there is something in the installation that reads the text inputted into the chat window and says this is a hyperlink?

 

[crobg]

Did you go to the AIM site?

Try this link:

http://www.aim.com/help_faq/security/faq.adp?aolp=

It sounds like it might fix what you are up against.