MSN Messenger hit by double-whammy worm

Trend Micro is warning of a new variant of the Bropia worm that uses MSN Messenger to spread.

The Bropia.F worm is packaged with a second, more damaging worm that tries to exploit poorly patched computers, the antivirus company said on Thursday.

The latest variant of the Bropia worm was discovered on Wednesday evening, Trend Micro said. It infects systems belonging to users of MSN Messenger by sending itself as a picture of a roast chicken with tan lines to all available or online contacts. It also releases a second more dangerous worm, called Agabot.ajc, on the infected computer.

Adam Biviano, a senior systems engineer at Trend Micro, said that although there have only been a handful of reported infections, the company has declared the worm a medium risk, because of its potential to spread and steal users' bandwidth.

"The potential for damage is quite high, because it drops another worm on your machine that is quite nasty and can spread through network by taking advantage of unpatched desktops and servers," Biviano said.

Biviano said this variant of Bropia can easily be avoided, because it exploits vulnerabilities that could have been patched months ago and relies on people opening a file through MSN Messenger. He advises people to only open files received through the instant messaging program if they are expected--even if they are from a contact. It is very possible that the file is being sent unbeknown to that person, he said.

"Usually, if you are sending a file using (an instant messaging program), you say 'I'm sending you this picture, have a look at it.' It is never random or out of the blue," Biviano said.

The worm affects MSN Messenger on computers running Windows 95, 98, ME, NT, 2000 and XP, according to Trend Micro's advisory. The company is advising MSN Messenger users to avoid accepting file transfers coming from an untrusted source.

Biviano said the second worm--Agabot.ajc--has the potential to perform a distributed denial-of-service attack on certain services. For example, it preys on the same vulnerabilities that were exploited by Slammer, Blaster (MSBlast) and Sasser.

Biviano said this variant of Bropia is the first worm to use instant messaging that has been given a higher-level alert status. It probably won't be the last, he said.

"Obviously, the popularity of IM itself is starting to gain the attention of the virus writers," he said, "and they are now using it as a tool."

This seems to happen once every few months

A simple way to avoid is to have a product that blocks at network boundary based on type of extensions and block all the malicious types. Could nip such a spread e.g. http://www.networktwister.com/worm.shtml

[Dr Dude]

Mac OS X unaffected!

Nuff said!

Mac OS X Unaffected (Pt. 2)!!!!!

Received five requests to accept an unknown image file from
contacts well known to me and I accepted them all knowing well
that my precious PowerBook would be immune to any virus/
trojan/variant etc. that would potentially destroy windows based
machines!!

Here's hoping more people see the light and SWITCH!!!