New IM Worms Hit MSN Messenger

TechWeb News ^ | March 07, 2005 | Gregg Keizer

[RebelTex]

New worms spreading through MSN Messenger -- and its bundled-with-Windows Windows Messenger version -- via links to a malicious site are infecting users and leaving their PCs open to hacker hijack, security vendors reported Monday. The new worms, tagged as Kelvir.a and Kelvir.b, appeared over the weekend and on Monday, respectively, anti-virus vendors said. Both use the same mechanism to attract users and infect Windows-based PCs: they include a link in the instant message. That link, in turn, downloads a malicious file -- the actual worm, a variant of the long-running Spybot -- which opens a backdoor to the compromised machine.

Kelvir spreads by sending itself to all the MSN/Windows Messenger contacts on the infected PC, and poses as cryptic messages such as "lol! see it! u'll like it!" and "omg this is funny!" The link opens a .pif-formatted file.

.pif files are also often a format-of-choice for mass-mailed worms.

Also on Monday, another worm -- dubbed Sumon.a by U.K.-based Sophos -- was discovered spreading via MSN/Windows Messenger. Sumon, which propagates over peer-to-peer file-sharing networks as well, is much more aggressive. It disables a long list of security software, tries to overwrite the HOSTS file so commonly-accessed security Web sites can't be reached, and picks from a large number of links, including "Fat Elvis! lol!" and "Crazy frog gets killed by train!" to entice downloads.

[RebelTex]

"Just sent my son an IM telling him not to click on links... and provided a link to the warning site.

This will be interesting to see how he reacts."

oooh - You're so mean, heheh.

Please - report the reaction - we've got to know what happens.

 

[RebelTex]

You're welcome.

[John Lenin]

bump

[RebelTex]

"Windows is the ultimate time waster."

You're probably right.  My daughter just got a new Apple Notebook - maybe she can teach me something about it.

[RebelTex]

"Does that mean if 'you' have downloaded the spybot 'detection program', that 'you' have downloaded a worm/virus/bug/etc???"

I don't think so - but then, what do I know?

;^D

 

[RebelTex]

"...until the wife-unit turned on me."

Ouch.  Wife-units must be treated very gently, with lots of attention, or they can become ... well, you fill in the blanks.

;^D

[HAL9000]

She sounds like a smart kid. She must have been raised right.

[RebelTex]

"I like a virus that makes my computer freeze up like a rasberry smoothie."

LOL

[RebelTex]

Have to go - back in a few hours.

If I missed your post, I'll try to answer it then.

[holymoly]

If you're talking about "Spybot - Search & Destroy", the answer is "no". "Spybot - S&D" has a long record as a safe and effective anti-spyware program.

[meadsjn]

Download and run Shoot the Messenger from Gibson Research Corporation.

[chiller]

What's the latest on the MS's service pak2 update. Is it working well? I'm installing a new hardrive tomorrow, and will reload everything. Today, without SP2 I'm literally being bombarded, much via the messenger backdoor, I think.

[KoRn]

"Does that run on WinXP?"

I don't know off hand. I believe they do have a Win XP installer. Go to their site and check it out....I'm too damned lazy!

[KoRn]

Thanks for the ping. I've been watching this one for the last few days. All 600 PC's on my net are now without messenger. I'm gonna do another 'patrol' tomorrow to check for possible rebellious users.

[stylin_geek]

And yet again, I see no reason for Messenger to come bundled in XP Pro and install by default!!

I like XP Pro, but this is one feature I can do without, especially as a systems admin.

[Dysfunctional]

...I guess just turning off those 3rd party cookies doesn't help all that much does it?

[suzyq5558]

LOL, thats one of the better ones on that dumb commercial

[LTCJ]

She uses Win2K at work and brings piles of it home.

MSOffice files? I finally bit the bullet and bought CrossOver Office so I could run MSOffice2000 under SuSE linux.

I tried the free demo for a month and then pried open my wallet spent $39 for the software - which explains the recent rash of earthquakes. But I digress.

So far all my macros and old spreadsheets seem to work as before - I consider myself to be an advanced Excel user (not so much with Word). And I've been feeding the resulting Word and Excel files to ten different users with different OS/MSO/hardware configs with zero compatibility issues to date - KoW.

Best of all, I'm spend a lot less time maintaining the system.

Linux isn't for everybody but if you've tried it and MSOffice compatibility was your major roadblock - it's well worth trying the COO free demo.

[RebelTex]

"Install an antivirus program or better yet, an internet security suite; keep it up to date using the auto update feature; and configure it to scan instant messages, as well as every file you open."

Yep - already way ahead of you.  I'm just being a grouch about all the viruses, worms, and hackers out there - I've got better things to do with my time than to constantly download & install Win patches and updates (but I do it anyway).  Then there seems to be 2 or 3 Norton AV updates everyday.  Then there's Zone Alarm, MS Office, Norton Internet Security, bios upgrades, hardware driver updates, new toys, industry software programs, website maintenance, email, and on and on.  Hell, if I could get away from this dang computer for an hour or 2 a day, maybe I could make some money, lol.

[RebelTex]

"I use Trillian for all of my IM programs. I wonder if it will block this from happening...."

I don't know anything about Trillian - sorry.