Three New Worms Threaten Instant Messaging Users, While The Cyber-War Between Virus Authors Continues

– Fatso.A, Kelvir.B and Kelvir.C spread via MSN Messenger. The last two also download and run variants of the Gaobot or Sdbot families of Trojans, allowing remote control of affected computers

– Fatso.A includes a text replying to the message displayed by the Assiral.A worm, referring to the Bropia family of worms

– Due to the predicable appearance of new malicious code that spread via instant messaging, Panda Software recommends users to take precautions with the messages they receive through these applications

Virus creators are continuing to demonstrate their interest in instant messaging as a rapid means of spreading malicious code. PandaLabs has detected the appearance of three new worms -Kelvir.B, Kelvir.C and Fatso.A- programmed to spread via MSN Messenger.

The new Kelvir worms reach computer in messages with texts like: omg this is funny! (Kelvir.B) or lol! see it! u’ll like it (Kelvir.C), which include a link to an Internet address. If the user clicks on this link, files containing the code of these worms will be downloaded and installed on the computer. These then send new messages to the contacts in MSN Messenger. At the same time, they download variants of the Gaobot or Sdbot Trojans from another web address. These Trojans allow a hacker to gain remote control of the affected computer through IRC chat channels. It is important to mention that all of the web pages from which the Kelvir worms or the Sdbot or Gaobot Trojans are downloaded have already been blocked, preventing them from continuing to spread. However, Panda Software’s international tech support network detected, up until then, that Kelvir.B and Kelvir.C had spread widely to users’ computers worldwide.

The Fatso.A worm sends messages containing links to a page from which a file containing a copy of its code is downloaded and run. When it gets into a computer, it sends itself to all the contacts in MSN Messenger and downloads other files to the system root directory. These files can have names like Annoying crazy frog getting killed.pif, Crazy frog gets killed by train!.pif or Fat Elvis! lol.pif. This worm is also capable of spreading through P2P applications like KaZaA. To do this, it creates copies of itself in the shared directories used by these programs.

Fatso.A also ends the processes of various security programs running in memory, leaving the computer vulnerable to other possible attacks.

What’s more, Fatso.A continues with the cyber-war between virus authors that started with the appearance of the Assiral.A worm, which showed a text attacking the Bropia worms. In response, Fatso.A creates a file called Message to n00b LARISSA.txt on affected systems, which contains an unfriendly message to the Assiral author and signed by someone called Skydevil.

Luis Corrons, head of PandaLabs, warns: “It is probable that new worms that spread via MSN Messenger will appear over the next few hours, and therefore, it is highly recommendable to take precautions with messages received through this application. The situation is getting more dangerous for users of instant messaging applications. As well as these new malicious code, the 20 variants of the Bropia worm and the two variants of the Stang worm detected over the last few days also use this means to spread. What’s more,” he adds, “cyber-criminals are showing a growing interest in instant messaging and there is a tendency to launch blended threats. The two new Kelvir worms, for example, not only aim to spread as widely as possible but also try to install other malware on computers. These could be used to carry out all kinds of actions, such as online fraud using confidential data stolen from affected computers.”

Due to the possibility of receiving malicious code through instant messaging applications, Panda Software advises users to have reliable, updated anti-malware installed, and to be wary of all messages received, regardless of the source. Panda Software clients already have the updates available to detect and disinfect these new worms and the other malicious code that use instant messaging to spread.

Don't miss