Fron; Panda Virus Alerts: - Three new worms threaten instant messaging users, while the cyber-war between virus authors continues - Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, March 7, 2005 - Virus creators are continuing to demonstrate their interest in instant messaging as a rapid means of spreading malicious code. PandaLabs has detected the appearance of three new worms -Kelvir.B, Kelvir.C and Fatso.A- programmed to spread via MSN Messenger. The new Kelvir worms reach computer in messages with texts like: omg this is funny! (Kelvir.B) or lol! see it! u'll like it (Kelvir.C), which include a link to an Internet address. If the user clicks on this link, files containing the code of these worms will be downloaded and installed on the computer. These then send new messages to the contacts in MSN Messenger. At the same time, they download variants of the Gaobot or Sdbot Trojans from another web address. These Trojans allow a hacker to gain remote control of the affected computer through IRC chat channels. It is important to mention that all of the web pages from which the Kelvir worms or the Sdbot or Gaobot Trojans are downloaded have already been blocked, preventing them from continuing to spread. However, Panda Software's international tech support network detected, up until then, that Kelvir.B and Kelvir.C had spread widely to users' computers worldwide. The Fatso.A worm sends messages containing links to a page from which a file containing a copy of its code is downloaded and run. When it gets into a computer, it sends itself to all the contacts in MSN Messenger and downloads other files to the system root directory. These files can have names like Annoying crazy frog getting killed.pif, Crazy frog gets killed by train!.pif or Fat Elvis! lol.pif. This worm is also capable of spreading through P2P applications like KaZaA. To do this, it creates copies of itself in the shared directories used by these programs. Fatso.A also ends the processes of various security programs running in memory, leaving the computer vulnerable to other possible attacks. What's more, Fatso.A continues with the cyber-war between virus authors that started with the appearance of the Assiral.A worm, which showed a text attacking the Bropia worms. In response, Fatso.A creates a file called Message to n00b LARISSA.txt on affected systems, which contains an unfriendly message to the Assiral author and signed by someone called Skydevil. Luis Corrons, head of PandaLabs, warns: "It is probable that new worms that spread via MSN Messenger will appear over the next few hours, and therefore, it is highly recommendable to take precautions with messages received through this application. The situation is getting more dangerous for users of instant messaging applications. As well as these new malicious code, the 20 variants of the Bropia worm and the two variants of the Stang worm detected over the last few days also use this means to spread. What's more," he adds, "cyber-criminals are showing a growing interest in instant messaging and there is a tendency to launch blended threats. The two new Kelvir worms, for example, not only aim to spread as widely as possible but also try to install other malware on computers. These could be used to carry out all kinds of actions, such as online fraud using confidential data stolen from affected computers." Due to the possibility of receiving malicious code through instant messaging applications, Panda Software advises users to have reliable, updated anti-malware installed, and to be wary of all messages received, regardless of the source. Panda Software clients already have the updates available to detect and disinfect these new worms and the other malicious code that use instant messaging to spread. Panda Software's clients can already access the updates for installing the new TruPrevent(tm) Technologies along with their antivirus protection, providing a preventive layer of protection against new malicious code. For users with a different antivirus program installed, Panda TruPrevent(tm) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPrevent(tm) Technologies at: http://www.pandasoftware.com/truprevent In addition, users can scan their computers online for free with Panda ActiveScan available at http://www.pandasoftware.com For further information about the Kelvir, Fatso, Assiral, Bropia and Stang worms visit Panda Software's Virus Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/ NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. ------------------------------------------------------------ To contact with Panda Software, please visit: http://www.pandasoftware.com/about/contact/ ------------------------------------------------------------ *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member