New IM worms target MSN users

Antivirus companies are warning users of Microsoft's popular MSN Messenger application about a host of new worms that spread using instant messages (IMs) over that network.

New versions of the Bropia and Kelvir worms appeared on Monday and are spreading over MSN Messenger, according to alerts issued by leading antivirus companies. Also on Monday, antivirus companies warned customers about the first in a new family of worms, dubbed "Sumom," or "Serflog," which also spreads over MSN. The spate of IM worms is evidence that virus writers are finally realizing the potential of IM to quickly disseminate malicious code, according to one antivirus expert.

IM worms have been gaining popularity in virus-writing circles for months. The Bropia worm, which spreads using MSN Messenger, burst onto the scene in January. New variants from that family of worms have appeared almost weekly ever since.

Bropia has been joined by a number of new IM worms in recent weeks. Kelvir, which first appeared on Sunday, has already spawned three new variants, according to data from Symantec. MSN is not the only victim. The Stang and Aimdes viruses spread over America Online's AOL Instant Messenger (AIM) network.

The new worms all target machines that run Microsoft's Windows operating system and steal IM contacts from machines they infect, meaning that victims often receive IM messages containing the virus from friends or acquaintances. The worms also use so-called "social engineering" tricks, such as vague but familiar-sounding messages and salacious file attachments to get users to open files that install the virus or visit Web pages that install viruses, spyware or Trojan horse programs on the victim's machine.

Kelvir arrives in an MSN message that reads "lol! see it! u'll like it," with a link to a file called "omg.pif" that is hosted on the home.earthlink.net Web server. When recipients click on the link, the virus infects the victim's computer and sends identical messages to all of that user's contacts, according to F-Secure.

Serflog, the new IM worm that appeared on Monday, arrives in a blank MSN message with links to one of a number of PIF files that contain the virus, such as "My new photo!.pif," "Topless in Mini Skirt! lol.pif" and "Fat Elvis! lol.pif," Symantec said.

Virus writers have realized that IM is a useful medium for distributing viruses because IM users are inclined to look at or click on IM messages that pop up on their computer desktop, said Gregg Mastoras, a senior security analyst at Sophos.

Many IM users are also relatively new to the technology, compared with e-mail, and are less aware of the threat of IM viruses than they are of e-mail viruses, he said.

Firewalls and antivirus products that corporations use to guard Internet gateways are often unable to stop incoming IM messages that contain virus attachments, though desktop antivirus products often detect and block executable files from being downloaded and installed. Many security products also fail to block IM viruses that use links to external Web sites to distribute malicious code, Mastoras said.

Employers and IM providers need to do more to educate users about the danger posed by viruses and other threats spread via IM, he said.

"It's a big challenge. There's a lot more work to be done, but you're not going to educate people out of being curious," Mastoras said.