A new worm is using Microsoft's MSN Messenger network to spread.
Bropia.A spreads by sending copies of itself to an MSN Messenger user's instant message (IM) contacts. When the worm is launched, it installs a Trojan horse program, Rbot, on vulnerable machines, according to alerts from F-Secure and Symantec.
Windows machines running MSN Messenger with a Messenger window open on the desktop are vulnerable to infection. F-Secure and Symantec rated Bropia a low threat, based on the number of reports of infected machines, and issued virus definition updates that allow their products to spot the new worm.
While previous IM worms spread by sending links to worm files embedded in IM messages, Bropia spreads by sending commands to Messenger that cause the program to send copies of the worm file directly to the infected user's IM contacts.The Bropia worm is also able to monitor Messenger for any change to a user's IM contacts and send worm files to contacts as they log on to the IM network, Symantec said.
When the worm file is launched, Bropia copies itself to the hard drive of the infected machine, disguised as a file with one of several names, including:"Drunk_lol.pif", "Webcam_004.pif", "sexy_bedroom.pif", "naked_party.pif" or "love_me.pif".
The worm also disables a user's right mouse button to prevent users from accessing context sensitive menus, and to alter the Windows sound mixer volume settings, F-Secure said.
The Trojan horse program that is installed by Bropia, which F-Secure referred to as Rbot, and Symantec as W32.Spybot.worm, opens a back door into infected Windows systems and has features that log user keystrokes, collect vital system information and relay spam, F-Secure said.
IM worms are not a new concept, and computer virus researchers have frequently warned of their potential to spread quickly across global IM networks such as those run by Microsoft, Yahoo and AOL.
In August, researchers at PivX intercepted a version of the Scob worm that used mass-distributed instant messages to lure Internet users to websites that distribute malicious code similar to Download.ject.
Symantec and F-Secure advised customers to update their antivirus software definitions to spot the new worm.