Beta Messenger is really a botnet recruitment tool
Antivirus vendors are warning users to avoid a new Trojan masquerading as a beta download of MSN Messenger 8, which doesn't exist in the public realm.
The Virkel worm, already circulating in various incarnations as well as under the alias Chod, arrives in an instant message box touting "MSN Messenger 8 Working BETA" and "Messenger 8 BETA has been leaked!" Those that take the bait and click a link not only download the Trojan but also spread the worm via instant message to anyone in their contact list. Thus, the message appears to come from a trusted source when sent to the next batch of potential victims.
In addition, Virkel shuts down AV and security software. It also blocks access to security vendor sites by adding entries in an infected system's HOST file and deleting an entry in the system registry.
The worm also contains a backdoor that opens random TCP ports to connect to IRC servers, which then allows the compromised machine to be added to a botnet awaiting commands by a remote, malicious user. Another disturbing component parlays the Windows XP Service Pack 2 patch to increase its propagation through more network connections.
Though Virkel's damage potential is high, Tokyo-based Trend Micro currently deems the worm a low threat because of poor initial infection rates. Helsinki-based antivirus provider F-Secure is credited with being first to announce the worm on its blog yesterday.
In related news, Glendale, Calif.-based Panda Software yesterday reported two new Trojans that target Spanish-language MSN Messenger to harvest passwords to several online bank sites. The Banker-BSX Trojan is particularly newsworthy because it opens port 1106 and waits to capture login and password information as it streams by, rather than using a more conventional keylogger to capture the data. Most activity currently includes the South American counties like Chile, Peru and Argentina, as well as Spain and Israel.
New Windows exploit spreads by infected images
Helsinki-based F-Secure today is warning of a new flaw in Windows' image rendering that is actively being exploited and puts Web browsers at risk. The antivirus provider recommends admins block access to unionseek.com and filter all WMF files at HTTP proxy and SMTP level until Microsoft can issue a patch.
A tell-tale sign a machine's been infected with any number of Trojans, such as Downloader.Win32.Agent.abs or Win32.Small.ga, is a fake warning that "Your computer is infected!" coming from the toolbar. An Internet Explorer user may be infected merely by visiting a site with an infected image; Firefox users, particularly those running older versions, also risk infection if they run or download the image, F-Secure noted on its blog.
AV vendors have been updating their signatures to detect the malicious code.
Marriott loses backup tape with 200,000+ time-share customers' data
A Marriott International Inc. subsidiary is warning some 206,000 time-share owners, customers and employees that it's lost backup tapes holding credit card information and Social Security numbers that could be used to commit identity theft. Thus far, no one's reported any misuse, the company said.
Marriott Vacation Club mailed letters to time-share owners and customers on Christmas Eve and issued a prepared statement yesterday disclosing that an internal investigation had yet to determine if the missing tapes were merely misplaced or stolen since their disappearance in mid-November at the company's headquarters in Orlando. The company told The Washington Post yesterday it delayed letting the public know about the missing backup disks until it was sure "the issue was sensitive enough to warrant a broad disclosure."
The company is offering free credit monitoring to anyone affected by the mishap.
Last week a missing backup tape holding valuable data on 2 million ABN AMBRO mortgage customers was found by carrier DHL, but with the original airbill missing. Though the Chicago-based company doesn't believe any customer data was compromised, it's asking customers to continue monitoring their credit reports for signs of foul play.