If you use MSN Messenger, beware of Fatso and Kelvir.
Tokyo-based antivirus firm Trend Micro has issued a "medium-risk" alert for these worms, known specifically as Fatso-A and Kelvir-B. Both have been using the popular instant messaging tool to spread, mostly in Asia and the United States as of Monday afternoon.
"If one user is infected, they try to send a message to everyone in the MSN Messenger list," said Joseph Hartmann, Trend Micro's director of AV research. He said the worms aren't causing as much trouble for enterprises as last week's multi-variant Bagle outbreak because MSN Messenger isn't as widely used in the corporate environment. But there's still reason for IT professionals to pay attention:
"The source code these worms are based on is out there for the underground to pick away at, so we can expect more activity in the future," Hartmann said.
Both worms affect Windows 95, 98, ME, NT, 2000 and XP, the firm said.
How they spread
Though Trend Micro doesn't believe the worms are related, it said both will send users an instant message with links to Web sites where users unknowingly download bots. These bots could then hijack users' computers and open backdoors on the network.
Both are memory-resident worms that copy themselves to all online MSN Messenger contacts on the infected system. The outgoing instant message contains a link to one or more Web sites. When the recipient clicks on the link, a copy of the worm is downloaded on their system.
Fatso-A can also spread using eMule, a peer-to-peer (P2P) file sharing application, Trend Micro said.
The files Fatso-A drop incorporate names of celebrities -- "Fat Elvis! Lol.pif" and "Jennifer Lopez.scr" -- or sexually explicit titles -- "How a Blonde Eats a Banana.pif" and "Topless in Miniskirt!lol.pif."
One of the files is a text file with a personal message to "Larissa," creator of the Assiral-A worm, which first appeared last month and was designed to kill off variants of another MSN Messenger-based worm, Bropia.
Assiral-A arrived as an e-mail attachment and displayed the following text on infected machines: "Larissa -- Anti-Bropia -- Freeing the world of Bropia."
Fatso-A's message to Larissa reads:
"Hey LARISSA f**k off, you f**king n00b!.. Bla bla to your f**king Saving the world from Bropia, the world n33ds saving from you!"
While it's very similar to Fatso-A, Trend Micro noted that Kelvir-B also drops a backdoor program called Worm.Sdbot-AUK on infected machines.