The IM.GifCom.All worm shows up as an innocuous-seeming URL in a chat message screen, featuring a link to what appears to be a Santa Claus site, said IM security vendor IMlogic, which first discovered the worm Monday.
In reality, clicking on the link starts a download that embeds a rootkit on the user's PC. The payload within the rootkit often goes by the name of gift.com, security experts at IMlogic said, and it immediately begins scanning the user's registry, file system and Internet cache.
The rootkit also contains a keylogger that records the keystrokes the user performs, generally used by malicious software writers to collect sensitive information such as credit card numbers, login information and passwords.
The worm may also try to propagate itself to the user's buddy list.