A new “multiple language” smart worm is spreading through Instant
Messaging, checking system settings of IM clients and then sending messages
in the appropriate language.
The virus appears to be a new variant of the Kelvir instant messaging
(IM) worm dubbed Kelvir.HI, propagating over a leading public IM network,
said security firm Akonix.
Akonix says it is the first worm ever identified that intelligently
checks system settings and delivers the worm in the proper language.
“The rise of IM threats is mostly 2005 phenomena,” Francis Costello, CTO at Akonix, said. “For the most part these social
engineering attacks are pretty basics. Except this one.”
Costello also said this form of advanced social engineering, where a
virus discovers which language a user is working in, and then propagates
itself in the same language, is a trend likely to continue.
So far the worm has only been spotted on the MSN IM
client.
“It figures if you’re speaking French, your buddy is also speaking
French,” he said.
Earlier this month, the Akonix Security Center reported a total 42 new threats
aimed at corporate IM systems in July, which is a 24 percent increase
over the previous month.
The Akonix Security Center has classified the most recent worm as low
risk and immediately used the industry’s only real-time IM malware, SPIM and
protocol update system to automatically push updates to customers for
protection against this threat.
So far the smart worm has been spotted in 10 languages, delivering the
same line: “haha i found your picture!” The languages are: English, Spanish,
Dutch, French, German, Greek, Swedish, Italian, Portuguese and Turkish.
The virus moves once users click on the link in the message, a copy of
the Spybot worm is automatically downloaded to their computer. Spybot is a
backdoor program that, among other malicious activity, can end security
applications, log keystrokes and receive remote commands, according to
Akonix.
