Virus threat

As an increasing number of worms are spreading via MSN Messenger and drop bots attack networks across the Middle East, worm writers are using their creations to exchange insults.

  • E-Mail
By  Sarah Gain Published  March 8, 2005

Trend Micro is issuing a medium risk, ‘yellow’ alert to raise awareness of two new worms that are being spread through MSN Messenger, the popular instant messaging platform. worm_kelvir.b and worm_fatso.a have been sighted in Asia Pacific countries, the Middle East, and the U.S. The similarities between these worms can be attributed to MSN propagation code that has been posted to forums used by virus writers. Although presumed to be unconnected, these worms send users an instant message with links to web sites where users unknowingly download bot programs, which can then open backdoors into the network for hackers. Both worm_kelvir.b and worm_fatso.a are memory-resident worms that spread copies of themselves to all online MSN Messenger contacts on the infected system. The outgoing instant message contains a link to a web site; when the recipient clicks on the link, a copy of the worm is downloaded on the recipient’s system. worm_fatso.a also propagates via eMule, a peer-to-peer file sharing application. worm_fatso.a drops several files onto affected systems with filenames including celebrity names such as “Fat Elvis! Lol.pif” and “Jennifer Lopez.scr” and inappropriate content along the lines of “Topless in Miniskirt!lol.pif”. One of the files is a text file containing a personal message to “Larissa”, the creator of the worm_assiral.a, which was discovered in mid-February and was designed to terminate variants of the bropia worm, an MSN Messenger-based worm that began appearing earlier in the year. worm_assiral.a arrived as an email attachment, and caused the text “Larissa – Anti-Bropia – Freeing the world of Bropia” to appear on an infected machine. The fatso worm’s message to Larissa, criticises the efforts to kill off the bropia worm, contains profanities interspersed with symbols and numbers and is signed ‘-s-k-y-‘-d-e-v-i-l-‘ The message may sound comical but the message indicate a growing trend among virus writers and hackers to use the web to propagate a form of internet gang warfare, according to Jamz Yaneza, senior virus researcher at Trend Micro’s Trendlabs. “They are using malware creations as a vehicle to communicate insults at one another. The real losers in this game are the end users who are unaware their systems are being infected, or that back doors are being opened to their networks,” Yaneza says. worm_kelvir.b arrives in a file approximately 46 KB in size while worm_fatso.a is delivered in a file of around 17 KB and can be compressed in MEW format. Users need to be vigilant, watching for files that might contain the worms, which both affect the Windows 95, 98, and 2000 editions as well as the ME, NT and XP platforms.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code