Dangerous worm attacks instant messaging clients

By Victor Ng | Aug 26, 2010

0 comments

Digg

 Email

 Print

A highly infectious new family of computer worms has started making its rounds. They target popular instant messaging clients to take control of a computer without the user’s knowledge.

Internet users in Asia are already being attacked. Earlier this month, countries such as Mexico, Brazil, Peru and the USA have seen the greatest numbers of infections, with what is being dubbed the ‘IM-Worm’ also spreading across Africa, India and Europe, particularly Spain.

What makes these worms highly unusual is that they are multilingual and capable of infecting users via several IM clients simultaneously, including Yahoo! Messenger, Skype, Paltalk Messenger, ICQ, Windows Live Messenger, Google Talk and the XFire client for gamers.

Four variants of this worm have so far been detected by experts at Kaspersky Lab, who have named the family IM-Worm.Win32.Zeroll.

Once one of these worms penetrates a computer, it looks in the contact list of any IM client present and sends itself to all the addresses it finds. Infection occurs when a user follows what they think is a hyperlink to an interesting picture, that in fact leads to a malicious file. The link appears in an instant message sent by an infected machine.

Users of Skype and MSN in Asia have reported receiving multiple messages from people they know, with links such as:

     Is this you on pic?
     http: // elfarah.net/photos.php

The fact that it is multilingual also makes the new family of IM worms stand out. IM-Worm.Win32.Zeroll uses 13 different languages, including English, German, Spanish and Portuguese, sending users in various countries messages in a language that they will understand.

IM-Worm.Win32.Zeroll has backdoor functionality, which means it can gain control of a computer without the user’s knowledge. Once it has penetrates a system, the worm contacts a remote command and control center. 

After receiving its instructions from the center via IRC, IM-Worm.Win32.Zeroll starts downloading other malicious programs. Interestingly, this new breed of IM worm connects to different IRC channels depending on the country and the infected application. This means a hacker controlling a network of infected computers can classify them according to country and IM client and send out different commands, which is useful, for example, when distributing targeted spam.

“It appears that the worm’s creators are currently in the early stages of their criminal activities,” said Mr Jimmy Fong of Kaspersky Lab, South-East Asia.

Referring to the booming underground online economy, he added: “They are infecting as many machines as they can in order to get good offers from other crooks for such things as pay per install, spam and so on.”
 

0 comments

Digg

 Email

 Print