Panda: three new worms threaten instant messaging users

- Three new worms threaten instant messaging users,
while the cyber-war between virus authors continues -
Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

Madrid, March 7, 2005 - Virus creators are continuing to demonstrate their interest in instant messaging as a rapid means of spreading malicious code. PandaLabs has detected the appearance of three new worms -Kelvir.B, Kelvir.C and Fatso.A- programmed to spread via MSN Messenger.

The new Kelvir worms reach computer in messages with texts like: omg this is funny! (Kelvir.B) or lol! see it! u'll like it (Kelvir.C), which include a link to an Internet address. If the user clicks on this link, files containing the code of these worms will be downloaded and installed on the computer. These then send new messages to the contacts in MSN Messenger. At the same time, they download variants of the Gaobot or Sdbot Trojans from another web address. These Trojans allow a hacker to gain remote control of the affected computer through IRC chat channels. It is important to mention that all of the web pages from which the Kelvir worms or the Sdbot or Gaobot Trojans are downloaded have already been blocked, preventing them from continuing to spread. However, Panda Software's international tech support network detected, up until then, that Kelvir.B and Kelvir.C had spread widely to users' computers worldwide.

The Fatso.A worm sends messages containing links to a page from which a file containing a copy of its code is downloaded and run. When it gets into a computer, it sends itself to all the contacts in MSN Messenger and downloads other files to the system root directory. These files can have names like Annoying crazy frog getting killed.pif, Crazy frog gets killed by train!.pif or Fat Elvis! lol.pif. This worm is also capable of spreading through P2P applications like KaZaA. To do this, it creates copies of itself in the shared directories used by these programs.

Fatso.A also ends the processes of various security programs running in memory, leaving the computer vulnerable to other possible attacks.

What's more, Fatso.A continues with the cyber-war between virus authors that started with the appearance of the Assiral.A worm, which showed a text attacking the Bropia worms. In response, Fatso.A creates a file called Message to n00b LARISSA.txt on affected systems, which contains an unfriendly message to the Assiral author and signed by someone called Skydevil.

Luis Corrons, head of PandaLabs, warns: "It is probable that new worms that spread via MSN Messenger will appear over the next few hours, and therefore, it is highly recommendable to take precautions with messages received through this application. The situation is getting more dangerous for users of instant messaging applications. As well as these new malicious code, the 20 variants of the Bropia worm and the two variants of the Stang worm detected over the last few days also use this means to spread. What's more," he adds, "cyber-criminals are showing a growing interest in instant messaging and there is a tendency to launch blended threats. The two new Kelvir worms, for example, not only aim to spread as widely as possible but also try to install other malware on computers. These could be used to carry out all kinds of actions, such as online fraud using confidential data stolen from affected computers."

Due to the possibility of receiving malicious code through instant messaging applications, Panda Software advises users to have reliable, updated anti-malware installed, and to be wary of all messages received, regardless of the source. Panda Software clients already have the updates available to detect and disinfect these new worms and the other malicious code that use instant messaging to spread.

Panda Software's clients can already access the updates for installing the new TruPrevent(tm) Technologies along with their antivirus protection, providing a preventive layer of protection against new malicious code. For users with a different antivirus program installed, Panda TruPrevent(tm) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent(tm) Technologies at: http://www.pandasoftware.com/truprevent

In addition, users can scan their computers online for free with Panda ActiveScan available at http://www.pandasoftware.com

For further information about the Kelvir, Fatso, Assiral, Bropia and Stang worms visit Panda Software's Virus Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/

 

Sophos: W32/Kelvir-C
Aliases: IM-Worm.Win32.Kelvir.b

W32/Kelvir-C is an instant messaging worm that spreads by sending a message through Windows Messenger to all of an infected user's contacts.

W32/Kelvir-C arrives as an attachment called omf.pif in a message that encourages the recipient to visit a web page to download an update and reads:

<URL> lol! seeit! u'll like it

W32/Kelvir-C also attempts to download a file named ME.JPG from a remote website. At the time of the writing the site was unavailable.
-------------------------------------------------------------------------

Symantec: W32.Kelvir.C

W32.Kelvir.C is a worm that spreads through MSN Messenger and drops a variant of W32.Spybot.Worm.

Technical Details: http://securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.c.html#technicaldetails

 

Finally there is "Fatso": Fatso.A

Alias: W32/Assiral.C.worm, W32/Sumom-A, W32/Crog.worm, IM-Worm.Sumom.a, Win32.Worm.Sumom.A
Threat level: High
Type: Worm
Effects: It ends processes belonging to several security tools, which leaves the affected computer vulnerable to the attack of other malware, and prevents access to the websites of several antivirus companies. It spreads via MSN Messenger, P2P programs and CD-ROMs.
Affected platforms: Windows XP/2000/NT/ME/98/95
First appeared on: March 7, 2005
In circulation? Yes

Tech Details: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=61629
------------------------------------------------------------------------

Symantec: W32.Serflog.A
Discovered on: March 07, 2005
Last Updated on: March 08, 2005 12:04:07 PM

W32.Serflog.A is a worm that spreads through file-sharing networks and MSN Messenger. The worm also lowers security settings.

Also Known As: Win32.Bropia.U [Computer Associates], Sumom.A [F-Secure], IM-Worm.Win32.Sumom.a [Kaspersky Lab], W32/Crog.worm [McAfee], W32/Sumom-A [Sophos], WORM_FATSO.A [Trend Micro]
Type: Worm
Infection Length: 17,429 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Technical Details: http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.a.html#technicaldetails