A Trojan appeared at the weekend that uses MSN Messenger to grow a botnet, but more worryingly the malware also tries to scan for virtual machines in order to increase the botnet’s number of connections.
At 18:00 UTC (Coordinated Universal Time), eSafe had apparently detected one operator and more than 500 on-command bots in the network. Three hours later, eSafe director of product management Roei Lichtman told eWeek that the number had soared to several thousand PCs and was growing by several hundred systems per hour.
eSafe is apparently monitoring the IRC channel used to control the botnet, and the only inhabitants of the network besides the operator were reportedly infected PCs.
The Trojan is an IRC (Internet Relay Chat) bot that is spreading via MSN Messenger. The Trojan either uses known or unknown contacts when sending itself to a user. It appears as a .zip file with two names, one including the word ‘pics’ as a double extension executable. The Trojan is also contained in a .zip file with the name "images" as a .pif executable.
Back in the summer, it was reported that code attacks over instant messaging are up almost 80 percent over last year. But eSafe is warning that this is first time it has tracked a Trojan that has tried to scan for VNC (Virtual Network Computing) instances, likely in order to multiply the botnet's number of connections.
Users have been warned not to open unexpected files, either from friends or strangers.