ICQ Worm Spreads Malicious Payload Before Being Blocked

 
 
By Matthew Hicks  |  Posted 2004-02-25
 
 
 
America Online Inc. said it has blocked a worm that began spreading this week through its ICQ instant messaging service that can steal sensitive information from infected machines.

The worm, named Bizex, began spreading among ICQ users on Tuesday, and preliminary reports identified more than 50,000 infected machines worldwide, according to a security alert from Kaspersky Labs Int.

The worm, which makes use of breaches in Microsoft Windows and Internet Explorer, spreads by sending an instant message to ICQ users that includes a link to the www.jokeworld.biz Web site. When a user visits the site, it shows what appears to be an innocuous cartoon but in the background replicates the worm onto the users machine.

AOL, in a message posted on Wednesday to ICQ users, said that it had blocked further distribution of the worm on its ICQ servers. The Dulles, Va.-based company also said that the worm only affected "a small number" of users of the ICQ Pro instant messaging client, and not users of other ICQ clients such as ICQ Lite. An AOL spokeswoman declined to specify the number of infected users.

On infected machines, the worm disconnects the ICQ client and accesses the ICQ contact list in order to send IMs, appearing to be from the infected user, to other ICQ members, Kaspersky reported.

AOL, in its posting, stated that it is working on a fix for infected ICQ Pro users who can no longer use the IM service.

More troublesome is the worms malicious payload. The worm can steal sensitive information from financial services transactions and e-mail accounts. It can scan the infected computer and gather information on payment systems, sending the details to a remote server, Kaspersky said.

In addition, Bizex can intercept information transmitted by HTTPS and log-in information for popular e-mail services.

Bizex joins a growing list of worms propagated through IM services. AOL Instant Messenger in February was the target of a worm that spread as a game about Osama bin Laden but also downloaded ad software called Buddylinks. MSN Messenger in December faced a worm called Jitux, which also spread when users clicked on a link sent through IM.

Bizex, though, marks an escalation in the ferocity of the worm attacks because of its malicious payload and demonstrates the increasing danger of IM viruses and worms, said Dmitry Shapiro, chief technology officer and founder of Akonix Systems Inc., an IM management and security vendor. A big part of the problem, he said, is that corporations have left IM unmanaged and insecure on their networks.

"Its becoming too tough to get a virus to propagate over e-mail, but on IM theres this new frontier where its easy to make this work," Shapiro said. "Virus and worm writers will start using instant messaging as a primary mode of propagation."

Check out eWEEK.coms Messaging Center at http://messaging.eweek.com for more on IM and other collaboration technologies.

Rocket Fuel