Beware of instant messages promising naughty content. A new worm has surfaced, and while experts consider it low risk, its capability to spread via AOL's Instant Messenger and Internet Relay Chat (IRC) while offering "free porn" makes it unique and potentially troublesome.
"This is not something that Symantec thinks users should panic about," says Dee Liebenstein, product manager of Symantec Security Response. "But it is unique in that it has taken advantage of AOL Instant Messenger. This shows how virus writers learn to take advantage of new technology and social engineering to spread viruses."
Called W32.Aphex@mm or W32.Aplore@mm, this mass-mailing worm infects PCs several different ways. For starters, once it infiltrates a PC it can mail itself to all e-mail addresses in the Microsoft Outlook address book, Liebenstein says. It's just the latest worm to strike the oft-maligned Outlook, which some experts suggest is full of security flaws.
The message arrives in your inbox with only a period in the subject line and a message, Liebenstein says. If you open the message and open the attached .COM file, the worm infects your PC.
Once the worm gets in, it gets busy, says Lisa Smith, product manager for McAfee consumer products. It can replicate by sending messages to those listed in your Outlook address book, and can initiate instant messages. In the case of AIM users, it waits until you connect to the service and send a message to one of your buddies. Then it replaces your message with one of a number of variations, including one that offers free porn by clicking the included URL.
If your buddy clicks, the worm generates a pop-up window that says the recipient needs a browser plug-in. If she or he agrees to that download, the worm routes your buddy's browser back to your own infected PC, and then infects your buddy's computer.
The worm can also use IRC, the Internet's first version of chat rooms, to replicate itself. The worm installs a freeware IRC program to make your PC IRC-capable, then establishes itself as an IRC server. From here it connects to an IRC channel and tries to entice other visitors there to click on a similar link.
Both Symantec and McAfee consider the worm low risk because very few users have reported infections (Symantec counts only 25 user infections). Plus, the worm's payload is simply to replicate itself, so it is not causing damage to the PCs where it takes root.
But it can be annoying and can tie up network bandwidth, says Symantec's Liebenstein. Symantec has already created a signature file that identifies the virus, and she encourages Norton AntiVirus users to download the latest update immediately.
Users of McAfee VirusScan 6.0, the newest version, are protected from the Outlook-borne strain of the virus, thanks to a feature called HAWK (Hostile Activity Watch Kernal), Smith says. The feature prevents the worm from creating a mass mailing in Outlook by monitoring any attempt to send e-mail to more than 60 percent of your address book. A pop-up warning lets you know if a program is trying to create a mass mailing, alerting you to the possible presence of a virus.
Owners of earlier versions of VirusScan can download a daily DAT file to ward off the worm, but Smith notes this file is a beta, intended largely for corporate users. Unless McAfee upgrades the status of the worm from low to medium risk, she suggests that home users wait until Wednesday to download the official weekly update.
"This isn't going to be a big hitter for home users, because it goes through Outlook rather than Outlook Express," she says. Most home users opt for Express, while corporate users are more likely to run standard Outlook, she says.
That said, both firms are keeping a close eye on the worm, and will alert users to further developments.
"We are watching it; it may be something that's slow to transmit," Smith says. "The pieces in it are working, so it is capable of working and doing what it's trying to do."