Tricky worm can spread via AIM, IRC

Beware of instant messages promising naughty content. A new worm has surfaced, and while experts consider it low risk, its capability to spread via AOL's Instant Messenger and Internet Relay Chat (IRC) while offering "free porn" makes it unique and potentially troublesome.

"This is not something that Symantec thinks users should panic about," says Dee Liebenstein, product manager of Symantec Security Response. "But it is unique in that it has taken advantage of AOL Instant Messenger. This shows how virus writers learn to take advantage of new technology and social engineering to spread viruses."

Called W32.Aphex@mm or W32.Aplore@mm, this mass-mailing worm infects PCs several different ways. For starters, once it infiltrates a PC it can mail itself to all e-mail addresses in the Microsoft Outlook address book, Liebenstein says. It's just the latest worm to strike the oft-maligned Outlook, which some experts suggest is full of security flaws.

The message arrives in your inbox with only a period in the subject line and a message, Liebenstein says. If you open the message and open the attached .COM file, the worm infects your PC.

Once the worm gets in, it gets busy, says Lisa Smith, product manager for McAfee consumer products. It can replicate by sending messages to those listed in your Outlook address book, and can initiate instant messages. In the case of AIM users, it waits until you connect to the service and send a message to one of your buddies. Then it replaces your message with one of a number of variations, including one that offers free porn by clicking the included URL.

If your buddy clicks, the worm generates a pop-up window that says the recipient needs a browser plug-in. If she or he agrees to that download, the worm routes your buddy's browser back to your own infected PC, and then infects your buddy's computer.

The worm can also use IRC, the Internet's first version of chat rooms, to replicate itself. The worm installs a freeware IRC program to make your PC IRC-capable, then establishes itself as an IRC server. From here it connects to an IRC channel and tries to entice other visitors there to click on a similar link.

Both Symantec and McAfee consider the worm low risk because very few users have reported infections (Symantec counts only 25 user infections). Plus, the worm's payload is simply to replicate itself, so it is not causing damage to the PCs where it takes root.

But it can be annoying and can tie up network bandwidth, says Symantec's Liebenstein. Symantec has already created a signature file that identifies the virus, and she encourages Norton AntiVirus users to download the latest update immediately.

Users of McAfee VirusScan 6.0, the newest version, are protected from the Outlook-borne strain of the virus, thanks to a feature called HAWK (Hostile Activity Watch Kernal), Smith says. The feature prevents the worm from creating a mass mailing in Outlook by monitoring any attempt to send e-mail to more than 60 percent of your address book. A pop-up warning lets you know if a program is trying to create a mass mailing, alerting you to the possible presence of a virus.

Owners of earlier versions of VirusScan can download a daily DAT file to ward off the worm, but Smith notes this file is a beta, intended largely for corporate users. Unless McAfee upgrades the status of the worm from low to medium risk, she suggests that home users wait until Wednesday to download the official weekly update.

"This isn't going to be a big hitter for home users, because it goes through Outlook rather than Outlook Express," she says. Most home users opt for Express, while corporate users are more likely to run standard Outlook, she says.

That said, both firms are keeping a close eye on the worm, and will alert users to further developments.

"We are watching it; it may be something that's slow to transmit," Smith says. "The pieces in it are working, so it is capable of working and doing what it's trying to do."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tom Mainelli

PC World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?