1

Surge in IM worm activity — don’t look at that cute puppy

We’re seeing a surge in IM-worm activity today. We’ve been seeing a higher level of activity for this type of attack for the past couple of weeks now.

If you receive a file over Yahoo! or MSN Live Messenger service that looks like image021.zip, DO NOT download it. It drops what appears to be a keystroke/vpad scraping bot that phones home to an ip address in Turkey. It also downloads more components from servers in Shanghai and New Zealand.

Here is a screenshot of the MSN Live Messenger client handling the incoming message. The incoming message arrives from one of your contacts as image021.zip, or something close to that name. It arrives alongside a cute message listed below. In our lab, the zip file arrived underneath
“hey look @ my cute new puppy :-D

These lines of text are being changed by the authors/distributors. They maintain a “chat.txt” file that is downloaded by the bot from a server in Austria containing all the comments that the worm may chat. Here are the current cute comments the message might arrive as:
hey look @ this picture of me, when I was a kid
I just took this picture with my webcam, like it?
hey look @ my cute new puppy :-D
hey man, did you take this picture?
holly cow this picture is nasty check it
check it, i shaved my head
have u seen my new hair?
what the ____, did you see this?
hey I’m sending you a profile pic tell me if its nice k?
haha lets hope your parents dont see this picture of you :D
hey did i ever show you this picture of me?
is it ok if I add this picture of us to my new slideshow?
can i upload some of these pics of you to my myspace profile?
you care if i put this pictuer of you in my new album?
I cant believe they wanted me to upload this picture to facebook lol.
Lmfao hey im sending my new pictures! Check em out!
is it alright if I upload this picture of us to myspace?
is it alright if I upload this picture of us to facebook?
do you see anything strange in this picture about me?
Wanna see my pics before i send em to facebook?
you mind if I upload this pic of us to my online album?
do you think this picture is too kinky for Myspace?
This picture isnt you… right?
Wow i think i found your pic on myspace!
do I look dumb in this picture? I want to put it on myspace.
sry about the messup i fixed the pic! Try it one more time pz
is this pic tooo sexy for photobucket??
my crazy sister wants u to see these pics for some reason… take a look
ohhhh myyy look at this pic haha!
wow! look at this old picture i found….
wanna see this pic of my Boobs?
haha, this guy up my street just slammed his $90k car into a telephone pole! I got a pic of it with my cellphone
dude i just got these pictures off my digital for you! Gimme a moment to find em and send
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Hey just finished new myspace album! :) theres a few kinky ones in there!
hey you got a myspace album? anyways heres my new myspace album :) accept k?
Dude i found your picture on hotornot.com! Take a look!

Note- you can observe the struggle that this poor soul went through after downloading, unzipping and running the “album1of42.zip” file they received over MSN Messenger. They unfortunately are seeking out volunteer advice for the time consuming steps of cleaning up a system infected with this worm.

Update: This same sort of IM-worm activity will surge in different parts of the world six months from now.

This entry was posted in Virus News and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>