Dangerous Virus Attacks Instant Messaging Clients
August 26, 2010, Singapore - A highly infectious new family of computer worms that target popular instant messaging clients in order to take control of a computer without the user’s knowledge has been discovered.
According to Kaspersky Lab, a leading developer of secure content management solutions, it is only a matter of time before Internet users in Asia are attacked.
Mexico, Brazil, Peru and the USA have seen the greatest numbers of infections, with what is being dubbed the ‘IM-Worm’ also spreading across Africa, India and Europe (particularly Spain).
What makes these worms highly unusual is that they are multilingual and capable of infecting users via several IM clients simultaneously, including Yahoo! Messenger, Skype, Paltalk Messenger, ICQ, Windows Live Messenger, Google Talk and the XFire client for gamers.
Four variants of this worm have so far been detected by experts at Kaspersky Lab, who have named the family IM-Worm.Win32.Zeroll.
Once it penetrates a computer, it looks in the contact list of any IM client present and sends itself to all the addresses it finds. Infection occurs when a user follows what they think is a hyperlink to an interesting picture, that in fact leads to a malicious file. The link appears in an instant message sent by an infected machine.
The fact that it is multilingual also makes the new family of IM worms stand out. IM-Worm.Win32.Zeroll uses 13 different languages, including English, German, Spanish and Portuguese, sending users in various countries messages in a language that they will understand.
At the present time, Mexico, Brazil, Peru and the USA have seen the greatest number of infections, but many instances have also been recorded in Africa, India and European countries, particularly Spain.
IM-Worm.Win32.Zeroll has backdoor functionality, which means it can gain control of a computer without the user’s knowledge. Once it has penetrated a system, the worm contacts a remote command and control center.
After receiving its instructions from the center via IRC, IM-Worm.Win32.Zeroll starts downloading other malicious programs. Interestingly, this new breed of IM worm connects to different IRC channels depending on the country and the infected application. This means a hacker controlling a network of infected computers can classify them according to country and IM client and send out different commands, which is useful, for example, when distributing targeted spam.
“It appears that the worm’s creators are currently in the early stages of their criminal activities,” said Mr Jimmy Fong, Channel Sales Director of Kaspersky Lab, Southeast Asia.
“They are infecting as many machines as they can in order to get good offers from other crooks for such things as pay per install, spam and so on,” Mr Fong said.
All Kaspersky Lab products successfully detect and neutralize the new family of IM worms.