Worm Chatter Escalates on MSN Messenger

[DevilDog#1]

Anti-virus vendors report an increased chatter of virus activity on Microsoft Corp.'s Microsoft Network messenger Sunday night through Monday.

In what appears to be a concentrated attack on users of the MSN instant messaging client, security experts warn that several new worms with unique replication techniques have been launched alongside mutants of the known Bropia virus family.

"We are regularly adding detection for new Bropia worm variants," F-Secure virus analyst Alexey Podrezov said in a notice.

In addition, he said two new MSN worms—identified as Kelvir and Sumom—have also joined the fray.

Both Kelvir and Sumom, like the Bropia mutants, are capable of installing the Backdoor.Rbot Trojan horse, which gives an attacker remote access to a compromised system.

The Rbot Trojan can be controlled via IRC (Internet Relay Chat) to monitor networks and hijack sensitive information; scan a network of machines for unpatched security holes; or to launch denial-of-service attacks.

The Trojan can also be used to log keystrokes and send detailed information about the victim machine, including passwords, to the attacker.

Shane Coursen, senior technology consultant at Kaspersky Lab, said the increased instant messaging worm activity underscores the use of social engineering tactics to trick victims into executing a malicious file.

In the case of the Bropia variants, the worm author uses the lure of adult-oriented images (Paris Hilton's name is commonly associated with the worms) transmitted as hyperlinks in an IM session.

The worms all arrive with a .PIF (program information file) extension and, once a user clicks on the link, the computer becomes infected and in turn continues the propagation by sending the file to all found MSN Messenger contacts.

"This has the potential to massively distribute itself," Coursen told eWEEK.com. "It sends itself wholesale to all contacts on the MSN buddy list. One more click there and the cycle continues."

Additionally, the worm attempts to download a file named "me.jpg" save it to the infected C:\ drive as "dumprep.exe."

When executed, the downloaded file is a variant of the RBot backdoor, Coursen said.

Anti-virus experts at Trend Micro Inc. rate the latest threat as "medium risk" and warned that the backdoor Trojan element could present untold dangers.

"The similarities between these worms may be attributed to MSN propagation code that has been posted to forums used by virus writers," the company said in an advisory.

[DevilDog#1]

Published: March 8, 2005, 10:23 AM PST
By Matt Hines
Staff Writer, CNET News.com

update New worms that use Microsoft's instant-messaging software to spread are tunneling their way across the Web.

Antivirus companies on Tuesday flagged a variation of an existing threat and a new worm, both targeting MSN Messenger.

Researchers at both Aladdin Knowledge Systems and F-Secure discovered the appearance of Win32.Kelvir.a, a new twist on the previously identified Kelvir threat. Each company also identified a new worm in the wild; Aladdin is calling it Win32.Serflog.a., while F-Secure is calling the same threat Sumom. Aladdin is rating both Win32.Kelvir.a and Win32.Serflog.a as medium-to-high risks.

The appearance of the new worms underscores the growing popularity of malicious software that relies on instant messaging, or IM, to spread. It follows a similar attack last month by another program meant to use Messenger to spread itself. In early February, researchers at Trend Micro detailed a variant of the Bropia worm that used Messenger. The Bropia.f worm was packaged with a second, more damaging worm that tried to exploit computers with improperly patched software.

While Microsoft spokesmen were quick to point out that the Messenger attacks do not take advantage of any flaw in the software, the company said it recommends that customers exercise "extreme caution" when accepting file transfers from both known and unknown sources on IM.

According to Aladdin, Win32.Kelvir.a spreads via a URL sent in an IM that contains an infected file. After clicking on the link, a person's computer becomes infected by the worm. When the program is executed it attempts to drop multiple copies of itself onto the person's PC. The worm also executes itself with every subsequent startup of the IM software by modifying registry entries, and it forwards itself to all of an individual's IM contacts. The threat presents itself hidden in a message that reads "omg this is funny!", followed by the URL.

Aladdin said that Win32.Serflog.a, or Sumom, presents itself as an attachment in an instant message. The worm attempts to spread by dropping copies of itself into folders typically shared by peer-to-peer software clients. The infected message reads "????omg click this!", followed by an attachment that harbors the worm. The company said Win32.Serflog.a also drops several hidden files into infected machines and attempts to cancel security functions of Messenger, while blocking access to several related Web sites.

In the first six weeks of 2005, 10 instant-messaging worms and their variants spread over America Online, ICQ and MSN networks, according to researchers at Akonix Systems. That's more than three times the number of worms that spread over public IM networks over the same period last year, and Akonix expects the trend to continue to climb.

Shimon Gruper, vice president of technology at Aladdin, said that the Kelvir variant probably poses a greater risk to IM users, because people are far more likely to click on a Web link than they might be to open an attachment. However, because both of the worms are designed to appear as if they've been sent by a known contact, he believes that either could do serious damage.

"Most people still do not expect to get viruses via IM," Gruper said. "They know about viruses sent in e-mail, but they're not as informed about IM threats, which pop up on your desktop and look like they come from someone you already talk to. IM worms are a growing threat because the hackers have tried to exploit almost every opening they can find in e-mail software, and IM is a new way to bypass existing security methods and get into PCs."

The latest round of worms targeting Messenger also bear some signs that the individuals writing the malicious programs have begun to use the threats to communicate with one another, possibly in a manner similar to street gangs' use of graffiti tags to mark their territory. A text file deposited on infected machines by Win32.Serflog.a features a message to "Larissa," the name for the hacker thought to be responsible for a worm known as Assiral.a, which attempted to disable the malicious Bropia worm.

Munir Kotadia of ZDNet UK contributed to this report from London