New AIM threat from 'talking' worm

By Steve Malone

Posted on 8 Dec 2005 at 10:44

A new threat has emerged for user of AOL Instant Messenger - a virus that 'talks' to the victim. The new talking virus tries to convince the target user that it is not malicious and encourages them to visit a site that, of course, contains the malicious code.

The worm, known as IM.Myspace04.AIM broadcasts to other users from an infected machine. It does not intend to hold intelligent conversations over the AIM service but merely puts up random responses to messages. These include posts such as `lol no its not its a virus' and 'lol thats cool' and in many ways acts just like a typical AIM user. However, it will also point to a .pif file on the myphotos.cc domain.

The carrier file known as 'clarissa17.pif,' will then install a backdoor, as well as changing system files. More insidiously, it will also attempt to disable any anti-virus software that is running on the machine. After performing the changes to the system, it will then attempt to replicate itself to contacts on the victim's buddy list.
The company which has issued the alert, IMLogic, also warns that the worm cloaks the messages it sends from the user's IM client who may therefore have no clue that their machine is infected.
Currently, the worm is not particularly widespread although any novel malware is likely to attract copycat attackers. As ever the advice is to keep anti-virus protection fully up to date and do not visit suspect pages or open files. Users should be on their guard against spontaneous chats from people on their buddy list who are suddenly speaking in a peculiar manner. AIM users should be particularly wary of messages leading to pages containing .pif files, even if they are holding you in a fascinating IM conversation.