New Worm Attacks MSN Messenger As Service Falters

Microsoft says there's no connection between the W32.Funner worm attack and the erratic behavior of the company's MSN Messenger service following a Sunday repair job.

Another candidate in the growing list of exploits on instant messaging clients and servers arrived in the wild. Called W32.Funner, the worm on Monday circulated to attack on the Windows Messenger platform.

At the same time, Microsoft Corp.s MSN Messenger service was unavailable much of the day Monday and several online sites wondered if the worm was implicated in the problems.

Microsoft officials confirmed the outage of its MSN services for most of Monday. A spokeswoman said that following system maintenance over the weekend, MSN "began experiencing some issues with the MSN Messenger service that may have affected customers ability to log in to the service or exchange IMs."

"Were actively investigating the cause of the issue and are working to take the appropriate steps to remedy the situation as rapidly as possible," she said. "While we work to resolve the issue, customers may experience intermittent access to MSN Messenger while the service it is temporarily taken offline for emergency maintenance. We sincerely apologize for any inconvenience and disruption this may cause our customers." she said.

While several customers wondered about a relationship between the outage and arrival of the worm, Microsoft denied any connection. As of press time, the intermittent problems still continued according to reports received by

According to a Symantec Corp. security alert, 32-bit versions of Microsoft Corp.s Windows platform are vulnerable, both client and server, including Windows XP and Windows Server 2003. However, 64-bit versions of Windows running on Advanced Micro Devices Inc. or Intel Corp. processors were unaffected, the advisory noted.

Upon infection, the worm attempts to spread itself through the hosts MSN Messenger contact list. In addition, the worm alters the Windowss host file, adding more than 900 URLs, reportedly Asian pornography and gaming sites.

Symantec and several other security services categorized this attack as a nuisance. As of Monday afternoon, its spread in the wild was still called "light," according to a Symantec representative.


For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

At the front of the year, a number of worms propagated through IM services, including MSN Messenger and America Online Inc.s client. In addition, AOL recently patched a security hole in its Version 5.9 release.

However, the rising reliance on instant messaging in the enterprise and the growing wave of Web-site-based exploits, present a worrisome picture, said Ken Dunham, director of malicious code at iDefense Inc. of Reston, Va.

Dunham described a "convergence of vulnerabilities tied to new vectors like instant messaging." Unlike the straightforward ICQ attacks of a year or two ago, this "more volatile situation" will come when the IM presents a "hostile link" to a Web page that actually contains the exploit, or code that will be downloaded and then executed.

"When youre in an instant messaging environment you have a message that pops up and catches your attention, usually from a trusted individual. Thats inherently different from e-mail and these worms have the potential to travel faster than e-mail worms," he said.


Check out eWEEK.coms Messaging & Collaboration Center at for more on IM and other collaboration technologies.


Be sure to add our messaging and collaboration news feed to your RSS newsreader or My Yahoo page