E-mail worm graduates to IM

Chod.B worm is now spreading over MSN Messenger, after propagating over e-mail systems last week.

Munir Kotadia Special to CNET News

April 5, 2005 6:28 a.m. PT

2 min read

A worm that first disguised itself as an e-mail from computer vendors is now attempting to trick MSN Messenger users into executing malicious files.

The Chod.B worm, which was first discovered on April Fools' Day, spreads via e-mail purportedly from Microsoft and security companies Symantec and Trend Micro.

When using the MSN Messenger instant-messaging client as its propagation tool, the virus sends out messages to contacts from the infected user's address book, warning them that they are about to receive a file. The virus then sends a file designed to infect the recipient's system.

Adam Biviano, Trend Micro's senior systems engineer, said the development is "alarming" because the technique mimics the behavior of a real IM user.

"The virus will send you a message first saying, 'Check out what I just found on the Internet,' and then sends you (the malicious) file. It is not just sending files out of the blue anymore--it is trying to imitate what a friend in your contact list would do," he said.

Chod.B also contains a tool that allows it to steal passwords from a number of IM applications--including America Online's AIM, ICQ Lite, Miranda, MSN Messenger Trillian and Yahoo Messenger, Biviano said.

He said that because the virus author has included a way to communicate with the virus, it could mean that in the future the same virus could be instructed to infect more than just MSN Messenger users.

However, even when using e-mail to spread, Chod.B spoofs the "from" field of the e-mail so it appears to have been sent from either security@microsoft.com, security@trendmicro.com or securityresponse@symantec.com.

According to Biviano, viruses in the past have tried to look like they were sent by Microsoft but this is the first time that virus writers have tried to pass off a virus as a message from an antivirus company.

"We have seen them in the past from Microsft.com, but not specifically from the other two addresses. It is just another social engineering attempt to try and trick users into executing the files," Biviano said.

Biviano said although Chod.B is cleverly designed, it is unlikely to become a widespread threat.

MSN Messenger--which has previously been targeted by virus writers--isn't the only instant messaging service to be exploited. Last week, phishers took aim at Yahoo's Messenger service, attempting to steal usernames, passwords and other personal information. The Internet giant confirmed that attackers were sending its members links to fake Web sites that mimicked a Yahoo site and asked people to log in by entering their username and password.

Security company Websense has warned that hackers are increasingly using IM applications to fool users into installing malicious code and revealing personal information.

Munir Kotadia of ZDNet Australia reported from Sydney.