Spying worm spreads via MSN Messenger, AIM

Attacks tailored to IM services contain links that could infect a PC with a Trojan horse or dangerous worm.

Munir Kotadia Special to CNET News

July 22, 2005 5:27 p.m. PT

2 min read

Microsoft's MSN Messenger and America Online's Instant Messenger services are being targeted by malicious messages containing links that could infect a computer with a Trojan horse or dangerous worm.

The latest threat is a Trojan called Kirvo, which arrives in the form of an instant message from someone on the user's "friends" list. The message contains a link to a Web site, which, if clicked on, loads a copy of Kirvo onto the computer, according to an advisory from security company Symantec. Kirvo is preprogrammed to then fetch a copy of Spybot, a dangerous worm that can take advantage of software vulnerabilities to spy on the user.

Tim Hartman, systems engineer director of Symantec in the Asia-Pacific region and Japan, said Kirvo worked in tandem with Spybot and the malware author's zombie army to seek out and infect more computers.

"All (Kirvo) does is take advantage of the user--by enticing him or her to click the link and launch the Trojan," Hartman said. "Once launched, it attempts to download a variant of Spybot, which is a true worm that takes advantage of several vulnerabilities. Kirvo appears to have been developed to assist SpyBot propagation and increase the army of Spybot zombies on the Internet."

Microsoft also noted that the worm does not exploit a security vulnerability, but instead relies on the recipient to take action. "Microsoft has not seen widespread customer impact," a company representative said Friday.

AOL could not be reached for comment.

Alan Bell, marketing director for antivirus firm McAfee, said that those responsible for Kirvo and Spybot have law enforcement authorities chasing phantoms by using compromised computers to supply copies of the worm over automated redirection services.

"If you are on a link where your IP address is changing all the time--like dial-up and to a lesser extent, broadband--you can register with a service that keeps track of your IP address," Bell said. "As your IP address changes, requests can be redirected. If the authorities chased up that IP address they would probably find some company that makes pots and pans that has a zombie computer."

Spybot is one of the most prevalent worms on the Internet, according to Bell, who said that a recent report from McAfee found that bot activity had increased more than 300 percent between the first and second quarter of this year.

"The number of bot-related cases increased by 303 percent from Q1 to Q2. It has gone from 3,000 cases to just under 13,000 cases and SdBot (McAfee's alias for Spybot) is one of the top four of the bot families. There are tens of thousands of variants out there," Bell said.

Microsoft is recommending that customers exercise extreme caution when they accept file transfers from both known and unknown sources. People can visit its MSN Messenger help site for more information.

Munir Kotadia of ZDNet Australia reported from Sydney. CNET News.com's Elinor Mills contributed to this report.