MSN Threat

Petunia

Dormant account
MSN Messenger worm seeds zombie networks

A worm spreading via MSN Messenger is turning infected
Windows PCs into zombie drones. The Bropia-F worm spreads by
offering "sexy image files" to IM contacts of infected
users.

Instead of racy documents, users who accept and open
infected files get a comical photo of a roasted chicken with
a bikini tan line. In the background, Bropia-F installs a
variant of the infamous Agobot (AKA Pahtbot or Rbot) worm,
opening a backdoor on infected systems. The bot can then be
used to collect system information, log keystrokes and relay
spam.

"Many corporations have been blocking use of instant
messenger programs for employee productivity reasons, and
now may have good cause to do so for security reasons as
well," said Joe Hartmann, senior virus researcher at
anti-virus firm Trend Micro. "With the popularity of instant
messengers, it may be the home users who are most at risk -
this kind of worm uses humour to make people forget that
they are being infected and backdoors are being opened into
their systems."

Bropia-F arrives in a file about 184 KB in size. It tries to
spread to other MSN Messenger users by sending a copy of
itself under one of these filenames: bedroom-thongs.pif,
hot.pif, lmao.pif, lol.scr, naked_drunk.pif, new_webcam.pif,
rofl.pif, underware. pif and webcam.pif.

Sightings of the worm have been reported in Taiwan, China,
Korea, Costa Rica and the US since it began spreading
earlier this week. Anti-virus firms rate the worm as a
medium risk.

Users are also advised to apply the principles of safe
computing and to exercise caution in the programs they allow
to self-install on their PCs. Windows users are also advised
to update their antivirus signature files to detect the
worm, just in case.
 
Top