Chicken Swimsuit Model Hides Nasty WormBy Ryan Naraine | Posted 2005-02-04 Email Print
The Bropia worm lures MSN Messenger users with promises of sexy image files, but there's a bigger danger lurking, anti-virus experts warn.
Anti-virus vendors have raised the threat level on a double-barreled MSN Messenger worm that lures users with the promise of sexy image files.
The worm, identified as W32/Bropia, arrives as a download link within MSN instant messaging sessions, but instead of sexy photographs, infected users get an image of a cooked chicken on a platter with a neatly drawn bikini tan line.
The worm also deposits a variant of the Rbot backdoor Trojan that is capable of using infected machines to create zombie networks, security experts warn.
The Rbot variant represents a large family of backdoors that can be used to hijack sensitive data from a victim's machine. According to an advisory from McAfee Inc., the Trojan connects to a remote IRC server to receive remote commands that could range from the launch of denial-of-service attacks to the scanning of local subnets to find unpatched machines.
The worm, which also disables anti-virus software and manipulates audio sounds on an infected machine, is capable of logging and reporting keystrokes, relaying spam and harvesting credit card numbers and other sensitive passwords.
McAfee said the Trojan has been programmed to target machines vulnerable to a list of previously reported security flaws. In addition, the worm carries a large list of user names and passwords to launch brute-force attacks on poorly secured machines.
Panda Software also increased the threat level for Bropia after intercepting the worm in several countries, including the United States, Mexico, Canada, China, Korea and Taiwan.
In an online advisory, Panda Software said the worm spreads itself by sending a link via IM urging recipients to download one of the following files: "Drunk_lol.pif"; "Webcam_004.pif"; "sexy_bedroom.pif"; "naked_party.pif"; or "love_me.pif."
The MSN Messenger application has to be open on the infected computer's desktop for replication to be successful.
Trend Micro Inc. has released a medium risk advisory for the memory-resident worm and urged system administrators to block MSN Messenger transfers to control the worm's propagation.
"As a general rule, MSN Messenger users should avoid accepting file transfers coming from an untrusted source," Trend Micro added.