MSN Messenger is the target of a host of new worms spreading across the Internet.
New versions of the Bropia and Kelvir worms have appeared today and are spreading over MSN Messenger, according to alerts issued by leading anti-virus companies. Plus a new family of worms, dubbed "Sumom" or "Serflog" has also appeared, also spreading over MSN.
The spate of instant messaging worms is evidence that virus writers are finally realising its potential to quickly disseminate malicious code, according to one antivirus expert.
IM worms have been gaining popularity in virus-writing circles for months. The Bropia worm, which spreads using MSN Messenger, burst onto the scene in January. New variants from that family of worms have appeared almost weekly ever since.
Bropia has been joined by a number of new messaging worms in recent weeks. Kelvir, which first appeared on Sunday, has already spawned three new variants, according to data from Symantec. MSN is not the only victim. The Stang and Aimdes viruses spread over the AOL Instant Messenger (AIM) network.
The new worms all target Windows machines and steal IM contacts from machines they infect, so victims often receive IM messages containing the virus from friends or acquaintances. The worms also use so-called "social engineering" tricks, such as vague but familiar-sounding messages and salacious file attachments to get users to open files that install the virus or visit Web pages that install viruses, spyware or Trojan horse programs on the victim's machine.
Kelvir arrives in an MSN message that reads "lol! see it! u'll like it," with a link to a file called "omg.pif" that is hosted on the home.earthlink.net Web server. When recipients click on the link, the virus infects the victim's computer and sends identical messages to all of that user's contacts, according to F-Secure.
Serflog, the new IM worm that appeared on Monday, arrives in a blank MSN message with links to one of a number of PIF files that contain the virus, such as "My new photo!.pif", "Topless in Mini Skirt! lol.pif" and "Fat Elvis! lol.pif", Symantec said.
Virus writers have realized that IM is a useful medium for distributing viruses because IM users are inclined to look at or click on IM messages that pop up on their computer desktop, said Gregg Mastoras, a senior security analyst at Sophos.
Many IM users are also relatively new to the technology, compared with e-mail, and are less aware of the threat of IM viruses than they are of e-mail viruses, he said.
Firewalls and anti-virus products that corporations use to guard Internet gateways are often unable to stop incoming IM messages that contain virus attachments, though desktop anti-virus products often detect and block executable files from being downloaded and installed. Many security products also fail to block messaging viruses that use links to external websites to distribute malicious code, Mastoras said.
Employers and IM providers need to do more to educate users about the danger posed by viruses and other threats spread via IM, he said. "It's a big challenge. There's a lot more work to be done, but you're not going to educate people out of being curious," Mastoras said.