MSN Messenger users: Fatso, Kelvir not your buddies

By Bill Brenner, News Writer 07 Mar 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

If you use MSN Messenger, beware of Fatso and Kelvir.

Tokyo-based antivirus firm Trend Micro has issued a "medium-risk" alert for these worms, known specifically as Fatso-A and Kelvir-B. Both have been using the popular instant messaging tool to spread, mostly in Asia and the United States as of Monday afternoon.

"If one user is infected, they try to send a message to everyone in the MSN Messenger list," said Joseph Hartmann, Trend Micro's director of AV research. He said the worms aren't causing as much trouble for enterprises as last week's multi-variant Bagle outbreak because MSN Messenger isn't as widely used in the corporate environment. But there's still reason for IT professionals to pay attention:

"The source code these worms are based on is out there for the underground to pick away at, so we can expect more activity in the future," Hartmann said.

Both worms affect Windows 95, 98, ME, NT, 2000 and XP, the firm said.

How they spread
Though Trend Micro doesn't believe the worms are related, it said both will send users an instant message with links to Web sites where users unknowingly download bots. These bots could then hijack users' computers and open backdoors on the network.

Both are memory-resident worms that copy themselves to all online MSN Messenger contacts on the infected system. The outgoing instant message contains a link to one or more Web sites. When the recipient clicks on the link, a copy of the worm is downloaded on their system.

Other articles on bots and botnets Beware the bots I, botnet

Fatso-A can also spread using eMule, a peer-to-peer (P2P) file sharing application, Trend Micro said.

The files Fatso-A drop incorporate names of celebrities -- "Fat Elvis! Lol.pif" and "Jennifer Lopez.scr" -- or sexually explicit titles -- "How a Blonde Eats a Banana.pif" and "Topless in Miniskirt!lol.pif."

One of the files is a text file with a personal message to "Larissa," creator of the Assiral-A worm, which first appeared last month and was designed to kill off variants of another MSN Messenger-based worm, Bropia.

Assiral-A arrived as an e-mail attachment and displayed the following text on infected machines: "Larissa -- Anti-Bropia -- Freeing the world of Bropia."

Fatso-A's message to Larissa reads:

"Hey LARISSA f**k off, you f**king n00b!.. Bla bla to your f**king Saving the world from Bropia, the world n33ds saving from you!"

'-S-K-Y-'-D-E-V-I-L-'

While it's very similar to Fatso-A, Trend Micro noted that Kelvir-B also drops a backdoor program called Worm.Sdbot-AUK on infected machines.

Tags: IM Security Issues, Risks and Tools,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IM Security Issues, Risks and Tools What are effective ways to stop instant messaging (IM) spam? Secure messaging complications result in limited protection Is it possible to ban chat programs on an enterprise LAN? How to lock down instant messaging in the enterprise AOL closes AIM attack vector, but risks remain Researcher says AIM still vulnerable, AOL insists it's fixed Serious security flaw in AOL Instant Messenger Security flaws found in AOL, Yahoo IM programs Flaw found in MSN Messenger AOL, Yahoo, Trillian IM applications under threat

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greynet  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary