December 6, 2005 5:43 PM PST

New IM worm chats with intended victims

By Joris Evers
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Study: IM worms up again in November
November 29, 2005; AIM worm plays nasty new trick
October 28, 2005; IM worm speaks your language
August 24, 2005

You can now instant message with a worm.

A new worm that targets users of America Online's AOL Instant Messenger is believed to be the first that actually chats with the intended victim to dupe the target into activating a malicious payload, IM security vendor IMlogic warned Tuesday.

According to IMlogic, the worm, dubbed IM.Myspace04.AIM, has arrived in instant messages that state: "lol thats cool" and included a URL to a malicious file "clarissa17.pif." When unsuspecting users have responded, perhaps asking if the attachment contained a virus, the worm has replied: "lol no its not its a virus", IMlogic said.

The malicious file disables security software, installs a backdoor and tweaks system files, the company said. Then it starts sending itself to contacts on the victim's buddy list.

But the worm is programmed so that the infected user cannot see the messages that are being sent out by the worm, according to IMlogic.

"This is a first," said Andrew Burton, director of product management at Waltham, Mass.-based IMlogic. This worm is not widespread, but attackers are just trying out this new technique, he said. "We will see one or two instances of an attack, there will be a refinement and then there will be an outbreak."

The inclusion of an IM bot is another sign that IM worms are becoming more sophisticated. Another worm, also spotted on Tuesday, takes a more traditional route: it spreads under the guise of a holiday greeting card, IM security specialist Akonix Systems said Tuesday.

The holiday worm, dubbed Aimdes.E, targets AIM users and arrives with the message: "The user has sent you a Greeting Card, to open it visit:" followed by a link. Once the target clicks on the link, the worm installs itself on the system. It opens a backdoor on the computer and sends itself to contacts on the buddy list, Akonix said.

Advice to users is to be careful when clicking on links in IM messages--even when they seem to come from friends--and to use up-to-date antivirus software. When receiving a link in an instant message, the best practice is to verify with the sender if the link was sent intentionally or not.

See more CNET content tagged:
IMLogic, worm, Akonix Systems, IM, victim

Add a Comment (Log in or register) 43 comments (Showing first 20 comments)

haha, thats smart
by digitallysick December 6, 2005 7:06 PM PST: poor windows aol users! they get picked on so bad; Reply to this comment View reply
Processing

This is NOT the first im virus to "talk back"!!
by Digital_Freedom December 7, 2005 5:36 AM PST: I had a yahoo messenger virus do almost exactly the same thing in 2003!! The only difference was that it never told people that it wasnt a virus. What it did say was things like "lol! hey check out this link" and other stuff.. IT got to the point I had to tell people "dont click that, I didnt say that!"... It was a nasty virus that was not listed anywhere. I had to fdisk and format my drive to kill it. So, this is NOT the first time a virus of this nature has been discovered. But, I dont think the virus I found was ever flaged by a anti-virus program.; Reply to this comment View reply
Processing

Think how nasty they could get...
by cparks0225 December 7, 2005 6:18 AM PST: Just think, these things could read through a user's history files to pick out any type of confirmation that you may currently be using to verify that the links your friends are sending you are sent on purpose. Personally, I think I'm done clicking links through IM.; Reply to this comment View all 2 replies
Processing

Too Dang Funny - I wonder where the proofreader is today
by December 7, 2005 7:07 AM PST: From the article: "When receiving a link in an instant message, the best practice is to verify with the sender if the link was sent intentionally or not."

Of course, the worm will reply "lol no its not its a virus"; Reply to this comment

What OS?
by flangeku December 7, 2005 8:19 AM PST: I know this is probably for Win2K/XP, but since AOL Instant Messenger is also available for Win98/Me, Mac OSX, and Linux, your article should probably specify.; Reply to this comment View all 2 replies
Processing

"THIS IS THE FIRST"
by n3td3v December 7, 2005 11:55 AM PST: This is completely false. I guess as always these guys don't know what they are talking about! The guys are making it up as they go along to get media headlines! Why do CNET continue to take quotes from these guys when you can just e-mail me instead?; Reply to this comment View reply
Processing

Worms
by Eskiegirl302 December 7, 2005 6:21 PM PST: Well I read all the post. Hmmm...Run out and buy and buy Linux or Mac and learn how to use those. Not today but thanks for the suggestion.

Hmm...Make up stories Think even if they are made up I would want the information. Thankyou Cnet.

Hmm...Links in the IM cause the problem. Don't type the whole string (link) to another user. instead of http://www.yadayada.com type yadayada let them type the string. ignore the bots see who is really in the room. watch it for a bit and you will be able to tell.

Like my windows. Keepin it.

Esk; Reply to this comment View all 2 replies
Processing

Pathetic
by Teome December 7, 2005 7:50 PM PST: How foolish do you have to be to actually fall for that? Wouldn't you realise that it isn't your friend and wouldn't you first check the link location to see what it is?

if you like taking the long way:
-right click
-copy shortcut
-paste to desktop
-right click > properties

...that was tough.; Reply to this comment

AIM in general
by December 7, 2005 11:59 PM PST: I've always found it strange that if one installs or even just runs the executable for AIM, it immediately makes it so if you block aol.com using the hosts file, it does no good--it still lets you go go aol.com. I wonder what they're doing that lets them bypass the hosts file. Since the whole sony thing, I've been wondering whether there's something not-so-cool going on with AIM.; Reply to this comment

There's a difference here.
by Haterabbit December 8, 2005 1:00 AM PST: The problem we're ignoring is that while the idea that clicking a link from someone sending you an obsolete filetype, who's typing like an idiot would be ridiculous to folk like US, There are piles upon piles of people who can't tell a good AV program from their anus. That said, It's unlikely that any of the readers on this website would even think about clicking links which are so blatantly obvious in their virus-hood(?).

Trojans these days are so widespread that it seems unlikely that they're even meant for malicious purposes anymore, so much as they are meant for seeing just how widespread you can make your virus go. Certainly, it makes the system of everyone it infects more vulnerable, but unless the person who creates the virus has a primary plan to actually send out something that will HURT your computer, it's not really worth worrying about the worm. Of course if you get it, you should remove it, and you should be taking necessary precautions to keep from getting it in the first place through use of common sense (as with this one, since obviously a .pif file is one of the least likely to be safe files around...) Or through the use of a good Antivirus program.

Unfortunately not everyone is quite so able to exercise common sense, so here is an easy to remember maxim for those people:

If you don't know how to use your computer effectively, Don't use it.

Computers don't work on their own. They are tools like any other. If your car breaks down, you have to get it fixed. If you computer breaks down, it will not fix itself. Know how your computer works, otherwise I can't be bothered to care when your computer stops working, and you don't know why.; Reply to this comment View reply
Processing

First time?
by Sentinel December 8, 2005 4:22 AM PST: "The inclusion of an IM bot is another sign that IM worms are becoming more sophisticated."

These techniques have been floating around the Web for years. Back when I used ICQ in 1999, IM Bots sent me porno links all the time, so much I've never used ICQ since then. Also, the technique that only the message reciever sees the message is not new. Last year a friend of mine kept sending me messages with a strange URL, and when I asked him about it, he said he didn't know anything about it.

Both techniques are highly intrusive, but old. They have been used for malicious purposes for years. So why is it only now in the news? The fact that the links installs a Trojan may be the new catch, but it was only a matter of time.; Reply to this comment

I was going to guess....
by Macsaresafer December 8, 2005 9:48 AM PST: that this only affected Windoze systems since they're so easily
defeated. Then I thought it would be better to check it out.

According to Trend Micro it affects: Windows 98, ME, NT, 2000, XP,
Server 2003

Will people never learn?; Reply to this comment View reply
Processing

How about Gaim?
by Ron Ammerman December 8, 2005 6:40 PM PST: If a user on a Windows platform was using Gaim (http://gaim.sourceforge.net/win32/index.php), would this IM worm be able to accomplish the same task as a Windows/AIM user? I would imagine that the worm may be able to install itself but might not be able to forward itself to all of your buddies. In this regard, using an IM program such as Gaim might be an attractive choice for windows users.

Cheers.; Reply to this comment View reply
Processing

Another Windows vs. Mac battle?
by stealt403 December 8, 2005 7:24 PM PST: This argument is getting old. It seems like every new story on cnet about a virus or worm leads to this type of discussion. I think mac users should continue to think they are better than everyone else and keep their mouth shut. Windows users should be more cautious as always and keep virus definitions current. I don't think either side will ever convince the either that they are right and switch OSs. People are self-righteous. I have nothing against mac or windows users.; Reply to this comment

NOT THE FIRST- Cnet is wrong here!
by Digital_Freedom December 10, 2005 11:49 AM PST: I agree.I actually had a yahoo messenger worm that did almost exactly the same thing in 2002-2003! The only difference was thatyou could read what the virus said to the victim (could read the "lol, cool.. check this link out" etc..) CNET: PLEASE DONT CALL THIS WORM THE FIRST THAT CHATS WITH A VICTIM TO DUP THEM TO CLICK A VIRUS INSTALL LINK. It's simply NOT TRUE.; Reply to this comment

See all 43 Comments >>

Latest tech news headlines

The main problem with Windows Vista
Posted in Defensive Computing by Michael Horowitz

September 6, 2008 7:50 PM PDT
Google-focused satellite enters orbit
Posted in News - Digital Media by Jonathan Skillings

September 6, 2008 7:33 PM PDT
In NFL deal, an extra point for Adobe's Flash
Posted in News - Digital Media by Jonathan Skillings

September 6, 2008 6:40 PM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Chrome's JavaScript challenge to Silverlight
The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.
Gallery
Photos: Top 10 reviews of the week
Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.
News - Apple
Apple watchers spot 'iPod Nano' pix, iTunes hints
The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.
Coop's Corner
Chris Shipley 1, Internet lynch mob 0
Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.
Video
Katie Couric reflects on first Webcast
The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.
News - Digital Media
Google-focused satellite enters orbit
The search titan has exclusive rights among online mapping sites to images from the new GeoEye-1 satellite, which launched Saturday.
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Gaming and Culture
Are Demo and TechCrunch50 fragmenting their audiences?
With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Images: The art of 'Spore' prototypes
Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.
Webware
At the TechCrunch50, an unfair advantage?
Inside baseball: How Webware and other blogs can compete with TechCrunch in covering the TechCrunch50 event.
Green Tech
Duke Energy to invest in mini solar power plants
Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.