Noomy.A: A Sophisticated Worm That Spreads Through IRC Using Social Engineering

PandaLabs has recently detected the appearance of a new and sophisticated worm called Noomy.A. Even though there have been no reports of this malicious code causing incidents in users’ computers, Noomy.A has a series of characteristics that are worth highlighting, as they could represent a new trend in malicious code techniques.

Noomy.A is a worm written in Visual Basic, which is programmed to spread via email and IRC. It spreads via email in messages with extremely variable characteristics, as the subjects and message texts are selected at random from a long list of options. The name of the attachment, which contains the worm’s code, is also selected at random. If the user runs this file, Noomy.A will send itself out to all the addresses it finds in the files on the affected computer with a .dbx, .htm, .html or .php extension, except to those that contain certain strings.

Up to here, Noomy.A is not any different from traditional email worms; however, this worm uses unconventional techniques to spread via IRC. It creates an HTTP server on affected computers and creates a large number of files containing copies of its code. The names of these files include 2004serials.pif, Ageofempires2crack.exe, AgeOfMythologyISO.exe or AnaKurnikovaVirualGirl2004.scr, among many others.

Then Noomy.A connects and logs on to different IRC channels, as if it were a user, and starts sending messages to different chatrooms. These message use social engineering techniques to get users’ attention, offering files with attractive content to trick them into downloading these files to their computers. Below are a few examples of these messages:

– everyone interested in the newest cracks can visit my private server while im online there’s other things on it too

– download Britney Spears virual girl screensaver at my private server while im online

The messages contain links that point to the servers created on affected computers. If a user clicks on the link, a page will open which pretends to download the files offered in the chat channel. However, the files downloaded are actually the infected files created by Noomy.A.

In order to make these pages more realistic, Noomy.A incorporates several style sheets in the servers it generates on affected computers. Therefore, a different page will be displayed even if a user connects to the same web address several times.

Noomy.A also ends the processes belonging to different antivirus and security tools. This allows it to carry out its actions without any kind of obstacle. What’s more, the computer is left vulnerable to attack from other Internet threats that could appear.

Another interesting characteristic of Noomy.A is that it is programmed to launch Denial of Service attacks against the website of different software developers, including Microsoft.

“Many malicious code use IRC servers to carry out their actions,” explains Luis Corrons, head of PandaLabs. “However, in most cases they act as an intermediary between the hacker and the virus to gain remote access to affected computers and carry out malicious actions. The way in which Noomy.A uses social engineering to trick IRC users seems to be an attempt to open a new means of virus propagation. For this reason, users must be on the alert, ignoring any messages that offer content they have not asked for, whatever Internet service they are using.”

Even though no incidents caused by Noomy.A have been reported, in order to avoid falling victim to this or other malicious code, Panda Software advises users to keep their antivirus software updated.