Worms on the prowl, traveling via MSN Messenger

Antivirus companies have identified two new threats that use Microsoft's IM software to spread.

Matt Hines
Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
3 min read
New worms that use Microsoft's instant-messaging software to spread are tunneling their way across the Web.

Antivirus companies on Tuesday flagged a variation of an existing threat and a new worm, both targeting MSN Messenger.

Researchers at both Aladdin Knowledge Systems and F-Secure discovered the appearance of Win32.Kelvir.a, a new twist on the previously identified Kelvir threat. Each company also identified a new worm in the wild; Aladdin is calling it Win32.Serflog.a., while F-Secure is calling the same threat Sumom. Aladdin is rating both Win32.Kelvir.a and Win32.Serflog.a as medium-to-high risks.

"Most people still do not expect to get viruses via IM...(It's) a new way to bypass existing security methods and get into PCs."
--Shimon Gruper,
vice president of technology,
Aladdin Knowledge Systems

The appearance of the new worms underscores the growing popularity of malicious software that relies on instant messaging, or IM, to spread. It follows a similar attack last month by another program meant to use Messenger to spread itself. In early February, researchers at Trend Micro detailed a variant of the Bropia worm that used Messenger. The Bropia.f worm was packaged with a second, more damaging worm that tried to exploit computers with improperly patched software.

While Microsoft spokesmen were quick to point out that the Messenger attacks do not take advantage of any flaw in the software, the company said it recommends that customers exercise "extreme caution" when accepting file transfers from both known and unknown sources on IM.

According to Aladdin, Win32.Kelvir.a spreads via a URL sent in an IM that contains an infected file. After clicking on the link, a person's computer becomes infected by the worm. When the program is executed it attempts to drop multiple copies of itself onto the person's PC. The worm also executes itself with every subsequent startup of the IM software by modifying registry entries, and it forwards itself to all of an individual's IM contacts. The threat presents itself hidden in a message that reads "omg this is funny!", followed by the URL.

Aladdin said that Win32.Serflog.a, or Sumom, presents itself as an attachment in an instant message. The worm attempts to spread by dropping copies of itself into folders typically shared by peer-to-peer software clients. The infected message reads "????omg click this!", followed by an attachment that harbors the worm. The company said Win32.Serflog.a also drops several hidden files into infected machines and attempts to cancel security functions of Messenger, while blocking access to several related Web sites.

In the first six weeks of 2005, 10 instant-messaging worms and their variants spread over America Online, ICQ and MSN networks, according to researchers at Akonix Systems. That's more than three times the number of worms that spread over public IM networks over the same period last year, and Akonix expects the trend to continue to climb.

Shimon Gruper, vice president of technology at Aladdin, said that the Kelvir variant probably poses a greater risk to IM users, because people are far more likely to click on a Web link than they might be to open an attachment. However, because both of the worms are designed to appear as if they've been sent by a known contact, he believes that either could do serious damage.

"Most people still do not expect to get viruses via IM," Gruper said. "They know about viruses sent in e-mail, but they're not as informed about IM threats, which pop up on your desktop and look like they come from someone you already talk to. IM worms are a growing threat because the hackers have tried to exploit almost every opening they can find in e-mail software, and IM is a new way to bypass existing security methods and get into PCs."

The latest round of worms targeting Messenger also bear some signs that the individuals writing the malicious programs have begun to use the threats to communicate with one another, possibly in a manner similar to street gangs' use of graffiti tags to mark their territory. A text file deposited on infected machines by Win32.Serflog.a features a message to "Larissa," the name for the hacker thought to be responsible for a worm known as Assiral.a, which attempted to disable the malicious Bropia worm.

Munir Kotadia of ZDNet Australia contributed to this report from Sydney.