Instant Message, Instant Infection

It's getting harder to trust your IM buddies: A new worm in the wild purports to be a warning from one of your buddies about a computer virus.

The IM-Worm.Win32.Qucan.a. -- initially discovered by MicroWorld Technologies and subsequently dubbed by Trend Micro as WORM_SOHANAD.A -- is spreading in MSN Live Messenger and Yahoo Messenger, but not AIM. It started with a link to a "photo" of the new Miss World 2006 winner but has gotten more insidious in the past few days with a more legitimate-sounding message: "A new dangerous computer virus that can destroy all your data has just been released. Click here to know how to avoid it."

What's even more scary about this worm is that once a user clicks on the link, it becomes the home page for the browser and "greys out" the options in Internet Explorer to get rid of it. "When you click on it, it infects the computer fast by copying its files onto the computer and downloads from that Website," says Agnelo Fernandes, head of technical support for MicroWorld.

The infected link is embedded in the home page, so every time a user launches IE, it reinfects the computer, he says. The only way to fix it is by going into the registry to make changes. The worm also terminates most common AV processes, says Fernandes, who spotted the worm posing as IMs from his own MSN Live Messenger buddy list.

It's unclear just how widespread the IM worm is at this time, but several iterations are circulating, experts say.

— Kelly Jackson Higgins, Senior Editor, Dark Reading