New IM worm chats with intended victims

You can now instant message with a worm.

A new worm that targets users of America Online's AOL Instant Messenger is believed to be the first that actually chats with the intended victim to dupe the target into activating a malicious payload, IM security vendor IMlogic warned Tuesday.

According to IMlogic, the worm, dubbed IM.Myspace04.AIM, has arrived in instant messages that state: "lol thats cool" and included a URL to a malicious file "clarissa17.pif." When unsuspecting users have responded, perhaps asking if the attachment contained a virus, the worm has replied: "lol no its not its a virus", IMlogic said.

The malicious file disables security software, installs a backdoor and tweaks system files, the company said. Then it starts sending itself to contacts on the victim's buddy list.

But the worm is programmed so that the infected user cannot see the messages that are being sent out by the worm, according to IMlogic.

"This is a first," said Andrew Burton, director of product management at Waltham, Mass.-based IMlogic. This worm is not widespread, but attackers are just trying out this new technique, he said. "We will see one or two instances of an attack, there will be a refinement and then there will be an outbreak."

The inclusion of an IM bot is another sign that IM worms are becoming more sophisticated. Another worm, also spotted on Tuesday, takes a more traditional route: it spreads under the guise of a holiday greeting card, IM security specialist Akonix Systems said Tuesday.

The holiday worm, dubbed Aimdes.E, targets AIM users and arrives with the message: "The user has sent you a Greeting Card, to open it visit:" followed by a link. Once the target clicks on the link, the worm installs itself on the system. It opens a backdoor on the computer and sends itself to contacts on the buddy list, Akonix said.

Advice to users is to be careful when clicking on links in IM messages--even when they seem to come from friends--and to use up-to-date antivirus software. When receiving a link in an instant message, the best practice is to verify with the sender if the link was sent intentionally or not.

[digitallysick]

haha, thats smart

poor windows aol users! they get picked on so bad

[Carmen89]

Are you 5?

you are so childish. Don't act like it's another kick in the mouth for Window users. Only reason why there are so of these stupid viruses are because MS is so widely spread. It's not going to go after a small percentage of users then what the heck is the point of making the virus in the first place. They do it so it spreads in a large lump not the small percent of MAC and other users.

[Digital_Freedom]

This is NOT the first im virus to "talk back"!!

I had a yahoo messenger virus do almost exactly the same thing in 2003!! The only difference was that it never told people that it wasnt a virus. What it did say was things like "lol! hey check out this link" and other stuff.. IT got to the point I had to tell people "dont click that, I didnt say that!"... It was a nasty virus that was not listed anywhere. I had to fdisk and format my drive to kill it. So, this is NOT the first time a virus of this nature has been discovered. But, I dont think the virus I found was ever flaged by a anti-virus program.

[noname976431]

You missed the point

There's been lots of viruses/worms/etc that have used IM to spread. And many of them do exactly what you described, send every contatct on a victims list a message that says, 'Check this link' or 'this is cool'. This one does exactly that, however, if a user types a response to the victim, the WORM prevents the victim from seeing the message and the WORM responds to the user. This is very different from what you described.

[cparks0225]

Think how nasty they could get...

Just think, these things could read through a user's history files to pick out any type of confirmation that you may currently be using to verify that the links your friends are sending you are sent on purpose. Personally, I think I'm done clicking links through IM.

[Carmen89]

Smart

I think it's just smart to banish clicking links for good. If it's that important they can find another way to inform you on whatever it is they want to show you.

[cyber_rigger]

How about clicking this link?

Here is the scariest virus site yet.

http://207.46.130.108


Use MS Windows. Live in fear.

Too Dang Funny - I wonder where the proofreader is today

From the article: "When receiving a link in an instant message, the best practice is to verify with the sender if the link was sent intentionally or not."

Of course, the worm will reply "lol no its not its a virus"

[flangeku]

What OS?

I know this is probably for Win2K/XP, but since AOL Instant Messenger is also available for Win98/Me, Mac OSX, and Linux, your article should probably specify.

[NickEP]

re: WHAT OS?

Many c|net virus/worm articles either don't mention the affected OS, or bury it later in the story after how the virus/worm affects the user.

This is, simply, bad journalism writing.

[aonfiek]

It's a .pif file

NEVER OPEN A .PIF File

the're old DOS (Windows 3.1) shortcut files.
they can have all kinds of virus code put in them, and because you never see them anymore, be weary of one that someone, or something, wants you to download.

[n3td3v]

"THIS IS THE FIRST"

This is completely false. I guess as always these guys don't know what they are talking about! The guys are making it up as they go along to get media headlines! Why do CNET continue to take quotes from these guys when you can just e-mail me instead?

[Digital_Freedom]

I agree- This is NOT the first...

I agree. I hada yahoo messenger virus chat to whoever I was in pm with around 2002- IT too tried to get them to click a link to install hte virus on their computer. The only difference is that my virus never told the victim it wasnt a virus, and I could read what it was saying. This Cnet virus cloaks it's self so the user cant read what it is saying- thats the new part.

[Eskiegirl302]

Worms

Well I read all the post. Hmmm...Run out and buy and buy Linux or Mac and learn how to use those. Not today but thanks for the suggestion.

Hmm...Make up stories Think even if they are made up I would want the information. Thankyou Cnet.

Hmm...Links in the IM cause the problem. Don't type the whole string (link) to another user. instead of http://www.yadayada.com type yadayada let them type the string. ignore the bots see who is really in the room. watch it for a bit and you will be able to tell.

Like my windows. Keepin it.

Esk

[fairyboi17]

Re: Worms

Honestly, that sounds like a very good idea to just send part of the string (link), but if you are trying to show someone a webpage that you made through a website, such as angelfire, geocities, or myspace, then they are going to need more that just part of the string.

[Macsaresafer]

Typical Windoze mentality

Eskie, I don't doubt that you had a tough time learning to deal with
Windoze, and you naturally think that learning another OS would be
just as difficult, but it's not.

Most switchers are surprised at how much easier the Mac is. Often,
the only thing stopping them from trying things on their Mac is the
fear they brought with them from Windoze. Once they get over
that, it's smooth sailing, and without viruses & spyware.

[Teome]

Pathetic

How foolish do you have to be to actually fall for that? Wouldn't you realise that it isn't your friend and wouldn't you first check the link location to see what it is?

if you like taking the long way:
-right click
-copy shortcut
-paste to desktop
-right click > properties

...that was tough.

AIM in general

I've always found it strange that if one installs or even just runs the executable for AIM, it immediately makes it so if you block aol.com using the hosts file, it does no good--it still lets you go go aol.com. I wonder what they're doing that lets them bypass the hosts file. Since the whole sony thing, I've been wondering whether there's something not-so-cool going on with AIM.

[Haterabbit]

There's a difference here.

The problem we're ignoring is that while the idea that clicking a link from someone sending you an obsolete filetype, who's typing like an idiot would be ridiculous to folk like US, There are piles upon piles of people who can't tell a good AV program from their anus. That said, It's unlikely that any of the readers on this website would even think about clicking links which are so blatantly obvious in their virus-hood(?).

Trojans these days are so widespread that it seems unlikely that they're even meant for malicious purposes anymore, so much as they are meant for seeing just how widespread you can make your virus go. Certainly, it makes the system of everyone it infects more vulnerable, but unless the person who creates the virus has a primary plan to actually send out something that will HURT your computer, it's not really worth worrying about the worm. Of course if you get it, you should remove it, and you should be taking necessary precautions to keep from getting it in the first place through use of common sense (as with this one, since obviously a .pif file is one of the least likely to be safe files around...) Or through the use of a good Antivirus program.

Unfortunately not everyone is quite so able to exercise common sense, so here is an easy to remember maxim for those people:

If you don't know how to use your computer effectively, Don't use it.

Computers don't work on their own. They are tools like any other. If your car breaks down, you have to get it fixed. If you computer breaks down, it will not fix itself. Know how your computer works, otherwise I can't be bothered to care when your computer stops working, and you don't know why.

[Macsaresafer]

They harm you, not your computer

Rab, be careful. A lot of malware isn't intended to cause a computer
problem. They want your computer to keep working, but for them.
They can send back all your keystrokes, including those from what
you thought was secure banking. They can use your PC for sending
out junk mail and kiddie porn. These things can all create big
problems for you, and without hurting your computer at all.

[Sentinel]

First time?

"The inclusion of an IM bot is another sign that IM worms are becoming more sophisticated."

These techniques have been floating around the Web for years. Back when I used ICQ in 1999, IM Bots sent me porno links all the time, so much I've never used ICQ since then. Also, the technique that only the message reciever sees the message is not new. Last year a friend of mine kept sending me messages with a strange URL, and when I asked him about it, he said he didn't know anything about it.

Both techniques are highly intrusive, but old. They have been used for malicious purposes for years. So why is it only now in the news? The fact that the links installs a Trojan may be the new catch, but it was only a matter of time.

[Macsaresafer]

I was going to guess....

that this only affected Windoze systems since they're so easily
defeated. Then I thought it would be better to check it out.

According to Trend Micro it affects: Windows 98, ME, NT, 2000, XP,
Server 2003

Will people never learn?

[Christopher Hall]

LOL windoze!!!@

Grow up.

[Ron Ammerman]

How about Gaim?

If a user on a Windows platform was using Gaim (http://gaim.sourceforge.net/win32/index.php), would this IM worm be able to accomplish the same task as a Windows/AIM user? I would imagine that the worm may be able to install itself but might not be able to forward itself to all of your buddies. In this regard, using an IM program such as Gaim might be an attractive choice for windows users.

Cheers.

[stealt403]

Does it support file transfer?

I don't think you can make a folder available for sharing in GAIM, like you can using AIM. Thats my only gripe. Developers are working on it though, and as soon as they include this feature I will switch immediately. I hate how AOL installs all that extra software including their browser, media player, and the rest of the garbage. Then they change your registry to make them all start on system startup. AIM is a memory and cpu hog. I can't wait to get rid of it. Anybody else use any other AIM alternatives?

[stealt403]

Another Windows vs. Mac battle?

This argument is getting old. It seems like every new story on cnet about a virus or worm leads to this type of discussion. I think mac users should continue to think they are better than everyone else and keep their mouth shut. Windows users should be more cautious as always and keep virus definitions current. I don't think either side will ever convince the either that they are right and switch OSs. People are self-righteous. I have nothing against mac or windows users.

[Digital_Freedom]

NOT THE FIRST- Cnet is wrong here!

I agree.I actually had a yahoo messenger worm that did almost exactly the same thing in 2002-2003! The only difference was thatyou could read what the virus said to the victim (could read the "lol, cool.. check this link out" etc..) CNET: PLEASE DONT CALL THIS WORM THE FIRST THAT CHATS WITH A VICTIM TO DUP THEM TO CLICK A VIRUS INSTALL LINK. It's simply NOT TRUE.