Email worm graduates to IM

The Chod.B worm is now spreading over Microsoft's instant-messaging service, after first being observed spreading over email systems last week
Written by Munir Kotadia, Contributor

A worm that first disguised itself as an email from computer vendors now attempts to trick MSN Messenger users into executing malicious files.

The Chod.B worm, which was first discovered on April Fool's day, spreads via email purportedly from Microsoft, or security vendors Symantec and Trend Micro.

When using MSN Messenger as its propagation tool, the virus sends out messages to contacts from the infected user's address book, warning them that they are about to receive a file. The virus then sends a file designed to infect the recipient.

Trend Micro’s senior systems engineer Adam Biviano said the development is 'alarming' because it mimics the behaviour of a real IM user.

"The virus will send you a message first saying 'check out what I just found on the Internet', and then send you [the malicious] file. It is not just sending files out of the blue anymore — it is trying to imitate what a friend in your contact list would do," said Biviano.

Chod.B also contains a tool that allows it to steal passwords from a number of IM applications — including AOL, ICQ Lite, Miranda, MSN Messenger, Trillian, and Yahoo Messenger.

Biviano said that because the virus author has also included a way to communicate with the virus, it could mean that in the future the same virus could be instructed to infect more than just MSN Messenger users.

However, even when using e-mail to spread, Chod.B spoofs the 'from' field of the e-mail so it appears to have been sent from either security@microsoft.com, security@trendmicro.com or securityresponse@symantec.com.

According to Biviano, viruses in the past have tried to look like they were sent by Microsoft but this is the first time virus writers have tried to pass off a virus as a message from an antivirus company.

"We have seen them in the past from [Microsoft] but not specifically from the other two addresses. It is just another social engineering attempt to try and trick users into executing the files," said Biviano.

Biviano said although Chod.B is cleverly designed, it is unlikely to become a widespread threat.

MSN Messenger — which has previously been targeted by virus writers — isn't the only instant messaging service to be exploited. Last week, phishers took aim at Yahoo's Messenger service by attempting to steal usernames, passwords and other personal information. The search giant admitted that attackers were sending its users links to fake Web sites that mimicked a Yahoo site and asked the user to log in by entering their username and password.

In fact, security firm Websense has warned that hackers are increasingly using instant messaging applications to fool users into installing malicious code and revealing personal information.

Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.

Editorial standards