Versatile worm infects IM clients

Computer worm

Kaspersky Lab has found a new breed of computer worm that spreads through instant messaging (IM) clients. These include Yahoo Messenger, Skype, Paltalk Messenger, ICQ, Windows Live Messenger, Google Talk and the XFire client used by online gamers.

The research team have found four variants which affect Windows systems. When one of these worms, generically named IM-Worm.Win32.Zeroll, infects a client, it searches for the contact list and sends itself in disguise to all the addressees. The recipient sees a message from the infected machine with a link to an image which turns out to be a malicious file.

A distinctive feature of the worm is it can send a message in one of 13 different languages to fool the recipient. Though the languages include English and German, Kaspersky has found it to be mainly active in countries where Spanish or Portuguese is spoken: Mexico, Brazil, Peru and the US.

The team also noted that it now appeared to be spreading to Africa, India and Europe, especially Spain.

Each worm acts as a backdoor and contacts a command and control centre. A hacker can then orchestrate the attack by classifying all of the infected systems according to country and IM client. This determines which commands should be sent and indicates the local language, which could be useful for distributing targeted spam.

Kaspersky claimed the hackers were creating a malware asset.

"They are infecting as many machines as they can in order to get good offers from other crooks for such things as pay per install, spam and so on," said Dmitry Bestuzhev, Kaspersky Lab's regional expert for Latin America.