Panda Security’s weekly report on viruses and intruders
February 2009 by Panda Security
MSNWorm.FU is a worm that spreads through MSN Messenger. To do so, it opens conversations with the infected user’s contacts and offers them a file as if it were a photo for the contact to accept and consequently become infected. The file is sent together with sentences such as: "me puedes marcar en esta foto de facebook?" (can you tag me in this facebook photo) "me cerraron mi cuenta por subir esta foto. si esta muy mal?" (they closed my account for loading this photo. Is it that bad?) "viste esta super fiesta de año nuevo?" (check out the New Year party) "toma, esta perfecta esta foto como wallpaper" (here, this photo is perfect as wallpaper)
The file is usually compressed in a .zip file to avoid being detected by the Messenger.
DirDel.A is a worm that reaches computers with a folder icon, to fool users into running it. When run, it does not display any message or open any folder. This malware replaces folders in different directories with a copy of itself. For example, if there is a folder called Example, it creates a copy of itself in the same directory called Example.exe and deletes all the original folders and their content.
This worm spreads by copying itself to all the system drives and shared folders.
P2PShared.AB reaches computers disguised as an email file, with names related to trademarks, such as Ikea.exe. To spread, it copies itself onto the shared files of P2P programs, with names of programs, disks, and so on. For example: Youtube Music Downloader 1.0.exe, Absolute Video Converter 6.2.exe, FOOTBALL MANAGER 2009.exe, Password Cracker.exe
This worm also spreads via email by sending spam emails with subjects such as You´ve received a Hallmark E-Card, and an attached file called postcard.zip which contains malware.
In addition, this week PandaLabs has informed about a new phishing attack used by Facebook as bait. French users received a message inviting them to view specific content in Facebook. When they did, they were redirected to a fake Facebook page, similar to the original. Any details they entered were sent to cyber-crooks.