Chicken Swimsuit Model Hides Nasty Worm

 
 
By Ryan Naraine  |  Posted 2005-02-04 Email Print this article Print
 
 
 
 
 
 
 

The Bropia worm lures MSN Messenger users with promises of sexy image files, but there's a bigger danger lurking, anti-virus experts warn.

Anti-virus vendors have raised the threat level on a double-barreled MSN Messenger worm that lures users with the promise of sexy image files.

The worm, identified as W32/Bropia, arrives as a download link within MSN instant messaging sessions, but instead of sexy photographs, infected users get an image of a cooked chicken on a platter with a neatly drawn bikini tan line.

The worm also deposits a variant of the Rbot backdoor Trojan that is capable of using infected machines to create zombie networks, security experts warn.

The Rbot variant represents a large family of backdoors that can be used to hijack sensitive data from a victims machine. According to an advisory from McAfee Inc., the Trojan connects to a remote IRC server to receive remote commands that could range from the launch of denial-of-service attacks to the scanning of local subnets to find unpatched machines.

The worm, which also disables anti-virus software and manipulates audio sounds on an infected machine, is capable of logging and reporting keystrokes, relaying spam and harvesting credit card numbers and other sensitive passwords.

McAfee said the Trojan has been programmed to target machines vulnerable to a list of previously reported security flaws. In addition, the worm carries a large list of user names and passwords to launch brute-force attacks on poorly secured machines.

Panda Software also increased the threat level for Bropia after intercepting the worm in several countries, including the United States, Mexico, Canada, China, Korea and Taiwan.

In an online advisory, Panda Software said the worm spreads itself by sending a link via IM urging recipients to download one of the following files: "Drunk_lol.pif"; "Webcam_004.pif"; "sexy_bedroom.pif"; "naked_party.pif"; or "love_me.pif."

Click here to read about a group using honey pots to catch IM threats. The MSN Messenger application has to be open on the infected computers desktop for replication to be successful.

Trend Micro Inc. has released a medium risk advisory for the memory-resident worm and urged system administrators to block MSN Messenger transfers to control the worms propagation.

"As a general rule, MSN Messenger users should avoid accepting file transfers coming from an untrusted source," Trend Micro added.

Symantec has developed and released a removal tool to clean the Bropia infections. The company has also offered manual removal instructions for infected users.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel