ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security threats Toolkit

MSN Messenger hit by double-whammy worm

Munir Kotadia ZDNet Australia

Published: 03 Feb 2005 09:50 GMT

The latest variant of the Bropia worm was discovered on Wednesday evening. It infects users of MSN Messenger by sending itself as a picture of a roast chicken with tan lines. It also releases a second more dangerous worm called agabot.ajc on the infected user's computer.

Adam Biviano, senior systems engineer at antivirus firm Trend Micro, said that although there have only been a handful of reported infections, Trend Micro has declared a medium risk alert because of the worm's potential to spread and steal users' bandwidth.

"The potential for damage is quite high because it drops another worm on your machine that is quite nasty and can spread through network by taking advantage of unpatched desktops and servers," said Biviano.

Biviano said this variant of Bropia can easily be avoided because it exploits vulnerabilities that could have been patched months ago and relies on users opening a file through MSN Messenger. He advises users to only open files received through MSN Messenger if they are expected -- even if they are from a contact.

"If you receive a file that you are not expecting, even if it is from someone in your contacts list, don't open it because it is very possible that the file is being sent unbeknown to that person.

"The second worm (agabot.ajc) does have the potential to perform a DDoS attack on certain services. For example it preys on the same vulnerabilities that were exploited by Slammer, Blaster (MSBlast) and Sasser.

"Usually if you are sending a file using instant messenger you say 'I'm sending you this picture, have a look at it', It is never random or out of the blue," said Biviano.

Biviano said this variant of Bropia is the first worm to use IM that has been given a higher alert status -- but probably not the last.

"Obviously the popularity of IM itself is starting to gain the attention of the virus writers and they are now using it as a tool," said Biviano.

Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.