Users of AOL’s instant messaging software, AIM, should be on the lookout for an innovative new worm, variously named "Oscarbot-B" and "Doyorg" by anti-virus companies.
The Windows-based malware emerged early this week, and has made itself a nuisance for its ability to hijack the list of contacts or "buddies" in an infected user’s IM account. After opening a window to any one of these contacts with the message "Hey check this out" , it invites users to follow an embedded link. Anyone who clicks on this will risk becoming its next victim.
On machines where infection is successful, the worm creates a backdoor into Internet Relay Chat (IRC) to download and run files on the instruction of the attacker, giving remote access to that PC.
Intriguingly, the attempt to spread via AIM is not initiated immediately, and depends on a further instruction from the attacker to start the infection/attack cycle anew. This might explain why the infection cycle has thus far moved slowly without being widely commented on by anti-virus companies.
Although its effects are little worse than a nuisance right now, in the world of malware that counts for nothing. Dry-runs for more serious attacks can be trialled by testing worm, virus and Trojan designs ahead of time to see how successful they turn out to be.
Techworld has had an unconfirmed but reliable report of at least one intended victim of Oscarbot-B, based in the US. True to its description, a window was opened from one of the user’s non-company AIM contacts, asking him to click on a embedded link. When more detail was requested, it returned the same request as a response, making him suspicious.
Graham Cluley of Sophos, an anti-virus company that targets business customers, suggested that companies needed to consider whether IM was worth the risk. "Fundamentally, many businesses will have to ask their staff if they really need IM for their day-to-day work and if not it may be more sensible to take it away," he said. "We're certainly seeing more instant messaging malware being written, although they haven't yet had the same kind of impact as email-aware worms or internet worms."