MSN Messenger used for viral gang warfare

Just weeks after Microsoft forced millions of MSN Messenger users to update their client software in order to stop the spread of a worm, the popular instant messenger service is once more being exploited by virus writers.

Antivirus firm Trend Micro has issued a 'medium risk' alert for both the Kelvir.B and Fatso.A worms. Although similar in functionality, the worms are not thought to be connected.

Jamz Yaneza, senior virus researcher at Trend Micro's antivirus labs division, said that the worms spread by sending messages that contain Internet links to malicious bots. Once downloaded, the bots allow an attacker to take full control of the infected computer. The worms send messages to all the infected user's IM contacts that are online.

"The real losers in this game are the end users who are unaware their systems are being infected, or that back doors are being opened to their networks," said Yaneza.

However, the worm writers are not only attacking end users, they are also verbally insulting each other.

According to Trend Micro, the worms contain abusive messages targeted at rival virus writers.

The Fatso.A worm, which can also spread using the eMule P2P file sharing application, contains a text file with a message for 'Larissa', who is thought to be responsible for the Assiral.A worm that was discovered earlier this year. Assiral. A was a 'good' worm — it was designed to search and destroy variants of the Bropia worm, which also used the MSN Messenger service to spread.

On infected systems, the Assiral.A worm displayed the message: "Larissa - Anti-Bropia - Freeing the world of Bropia".

In response, the FATSO worm's message says: "Hey LARISSA f**k off, you f**king n00b!.. Bla bla to your f**king Saving the world from Bropia, the world n33ds saving from you!"

"It sounds comical, but these are like gang members that are tagging neighbourhoods but using malware creations as a vehicle to communicate insults at one another," said Yaneza.

In February, Microsoft forced millions of its MSN Messenger users to download a new version of the software to plug a security vulnerability. The mandatory upgrade began after a security company posted information that would help a would-be attacker exploit the vulnerability. MSN Messenger users were then greeted with a notice to upgrade before they could open their instant messaging clients.

According to a Microsoft spokesperson, the MSN Messenger service will not have to be upgraded or patched this time because the worms rely on user interaction rather than exploiting a programming error.

"These worms do not exploit security vulnerabilities, but rather rely on the user to accept a file and then run it. The worm then sends itself to all the contacts in a user's MSN Messenger contact list," the spokesperson said.

Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.