Maker tech hub — AI · 3D print · Pi · ESP32 · plus the classic tech archive.

Free ESP32 kit · Books · Network Ninja · Archive

Classic tech archive. From the original averyjparker.com tech blog — historical context; pair with modern guides where noted. Full archive · Maker projects · Network Ninja

Classic tip · Classic

More on the Santa IM worm

There are a couple of stories out about the Santa IM worm, otherwise known as IM.GiftCom.All. First up Sans has some interesting analysis of it. It appears that it's being hosted at 69.56.129.67, whe…

Written by

Avery J. Parker

IT veteran, maker educator, and author of Network Ninja, 3D Printing Mastery, and AI Workflow Mastery. Business IT: Diversified Tech Solutions.

There are a couple of stories out about the Santa IM worm, otherwise known as IM.GiftCom.All. First up Sans has some interesting analysis of it. It appears that it's being hosted at 69.56.129.67, when run it resolves smtp.girlsontheblock.com to 38.118.133.241 and attempts to open tcp port 53. It renames itself as c:\windows\winrpc.exe and sets up shop as "Windows RPC Services". They're saying instead of a worm it should be more accurately termed a bot with replicating capabilities, it is reliant on controls from an outside site. (From their analysis I presume the 69. ip address above?)


The securityfix focuses on the bug today as well. It's also put in context with the recent uptick in Instant Messenger viruses and a bleak outlook for what lies ahead.

It's essentially social engineering at it's best/worst. Social engineering is the oldest and most successful tool that a cracker has and the only way to guard against it is to increase your doubt and increase your willingness to question if it LOOKS like you've received a neat link from a friend.