Kaspersky Lab detects new IM worms capable of spreading via almost all instant messengers

30 Aug 2010
Virus News

Kaspersky Lab announces the detection of a new family of computer worms that are spreading via numerous instant messaging clients. What makes the worms distinct and highly unusual for this class of program is the fact that they are multilingual and capable of infecting users via several IM clients simultaneously, including Yahoo! Messenger, Skype, Paltalk Messenger, ICQ, Windows Live Messenger, Google Talk and the XFire client for gamers.

Four variants of this worm have so far been detected by experts at Kaspersky Lab, who have named the family IM-Worm.Win32.Zeroll. Once it penetrates a computer, it looks in the contact list of any IM client present and sends itself to all the addresses it finds. Infection occurs when a user follows what they think is a hyperlink to an interesting picture, that in fact leads to a malicious file. The link appears in an instant message sent by an infected machine.

The fact that it is multilingual also makes the new family of IM worms stand out. IM-Worm.Win32.Zeroll uses 13 different languages, including English, German, Spanish and Portuguese, sending users in various countries messages in a language that they will understand. At the present time, Mexico, Brazil, Peru and the USA have seen the greatest numbers of infections, but many instances have also been recorded in Africa, India and European countries, particularly Spain.

IM-Worm.Win32.Zeroll has backdoor functionality, which means it can gain control of a computer without the user's knowledge. Once it has penetrated a system, the worm contacts a remote command and control centre. After receiving its instructions from the centre via IRC, IM-Worm.Win32.Zeroll starts downloading other malicious programs. Interestingly, this new breed of IM worm connects to different IRC channels depending on the country and the instant messaging clients located on the computer. This means a hacker controlling a network of infected computers can classify them according to country and IM client and send out different commands, which is useful, for example, when distributing targeted spam.

"It appears that the worm's creators are currently in the early stages of their criminal activities," said Dmitry Bestuzhev, Kaspersky Lab's Regional Expert for Latin America. "They are infecting as many machines as they can in order to get good offers from other crooks for such things as pay per install, spam and so on."

All Kaspersky Lab products successfully detect and neutralise the new family of IM worms.