New IM worms target MSN users

IDG News Service - Antivirus companies are warning users of Microsoft Corp.'s popular MSN Messenger application about a host of new worms that spread using instant messages (IM) over that network.
New versions of the Bropia and Kelvir worms appeared yesterday and are spreading over MSN Messenger, according to alerts issued by leading antivirus companies. They also warned customers about the first in a new family of worms, dubbed "Sumom" or "Serflog," which also spread over MSN.
The spate of IM worms is evidence that virus writers are finally realizing the potential of the medium to quickly disseminate malicious code, according to one antivirus expert.
IM worms have been gaining popularity in virus-writing circles for months. The Bropia worm, which spreads using MSN Messenger, burst onto the scene in January. New variants from that family of worms have appeared almost weekly ever since.
Bropia has been joined by a number of new worms in recent weeks. Kelvir, which first appeared on Sunday, has already spawned three new variants, according to data from Symantec Corp. MSN isn't the only victim. The Stang and Aimdes viruses spread over America Online Inc.'s AOL Instant Messenger network.
The new worms all target machines that run Microsoft's Windows operating system and steal IM contacts from machines they infect, meaning that victims often receive IM messages containing the virus from friends or acquaintances. The worms also use so-called social engineering tricks, such as vague but familiar-sounding messages and salacious file attachments to get users to open files that install the virus or visit Web pages that install viruses, spyware or Trojan horse programs on the victim's machine.
Kelvir arrives in an MSN message that reads "lol! see it! u'll like it," with a link to a file called "omg.pif" that's hosted on the home.earthlink.net Web server. When recipients click on the link, the virus infects the victim's computer and sends identical messages to all of that user's contacts, according to Helsinki, Finland-based F-Secure Inc.
Serflog, the new IM worm that appeared yesterday, arrives in a blank MSN message with links to one of a number of PIF files that contain the virus, such as "My new photo!.pif," "Topless in Mini Skirt! lol.pif" and "Fat Elvis! lol.pif," Cupertino, Calif.-based Symantec said.
Virus writers have realized that IM is a useful medium for distributing viruses because IM users are inclined to look at or click on IM messages that pop up on their computer desktop, said Gregg Mastoras, a senior security analyst at U.K.-based Sophos PLC.
Many IM users are also relativelynew to the technology, compared with e-mail, and are less aware of the threat of IM viruses than they are of e-mail viruses, he said.
Firewalls and antivirus products that corporations use to guard Internet gateways are often unable to stop incoming instantmessages that contain virus attachments, though desktop antivirus products often detect and block executable files from being downloaded and installed. Many security products also fail to block IM viruses that use links to external Web sites to distribute malicious code, Mastoras said.
Employers and IM providers need to do more to educate users about the danger posed by viruses and other threats spread via IM, he said.
"It's a big challenge. There's a lot more work to be done, but you're not going to educate people out of being curious," Mastoras said.