Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Friday, September 22, 2006

Beware the New IM Worm: Heartworm!

Yep, we've gone Worm crazy this week - so we kicked it all off with the Pipeline Worm, and we're finishing things off with the Heartworm (well, W32Heartworm.a to be precise), which targets the MSN Instant Messaging Network.

Heartworm, I hear you say? (the dog picture in the IM chatbox is completely accidental, I swear).

Well, let me explain. Net hoaxes are awesome. Awesomely bad, but awesome all the same. There's a rich set of pickings there for anyone willing to do a little research. What if someone based an IM attack on a really tangled set of references to web hoaxes? What if they popped open images from good guy's websites as part of their elaborate net-hoax referencing and tried to steal all your money? What if I found such a Worm while researching the Pipeline story?

Well, it's your lucky day!

A full rundown can be seen here on the Spywareguide blog - we'll be putting a release out about it with more info later - but here's the notable quotable version:

The infection spreads by running a file in circulation on Russian webhosting sites claiming to have a "virtual card" waiting for them - when the file is run, a picture of a heart containing a poem is launched, and the infected user will pass the infection link to their contacts. At the same time, some data theft components will be dumped onto your computer and then you'll probably start to cry.

We've seen a number of variations on this in the last six days or so that we've been working on it, but they all do something rather odd...pop open an image from a good guy website. Quatrocantos, a well known site that tackles hoaxes - think Snopes.com - has an article about a "fake" virtual card being sent to end-users, in the form of a trojan.

Well, the bad guys behind this attack decided to have a little fun, so they take an image from the page on that attack and pop it open in this one. There's also some crazy stuff you can tie into this regarding an old hoax from 2000 called "a virtual card for you" - especially as Quatrocantos have a page on that one, too. These guys are basically dressing this worm up in old net lore and probably making it more difficult for infected users to find out more information about the attack. By using the picture of the heart, itself a hoax, ripped from a site about hoaxes, they're also doing something vaguely clever - turning the promise of a "virtual" card that you never receive into a real card that you do.

Of course, you get a bunch of data theft garbage installed on your PC too, but hey, they're sending you a love poem so it's okay really.

More Coverage: Digg Slashdot Realtechnews

Labels:

posted by paperghost at 1:21 PM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.