Whether you’re faced with the threat of an IM Worm or Email Worm, it is important that you not take the bait!
An Instant Messaging Worm, or IM WORM for short, is a standalone malicious program which specifically targets platforms that enable text transmissions in (near) real-time. This specification aside, it has all the properties of a traditional computer worm in that it is capable of self-replicating and propagating throughout a network.
An IM worm is often considered to be the successor of the email worm but is actually more alarming. Online chats are hotbeds for worms because of their communicative nature. Therefore, if an IM worm does make its way into a user’s account, it can locate and exploit their contact (or buddy) list effortlessly. Couple this with the amount of sensitive information stored on our smart phones and we have a very hazardous situation on our hands!
An email worm, also known as an Internet worm or mass mailer, came before the IM Worm and can possibly be credited for its autonomous behavior. Although the latter does not typically require a vulnerable IP address to compromise a user’s contact list, URLs are still a critical part of its breaching process. Worms for both messaging platforms are known for sending correspondence which redirects users to malicious files containing the body of their malicious code. One pulls this off differently from the other, but the overall premise underscores a pattern of social engineering.
The sending and receiving (or sharing) of information has always been critical to the spreading of malware infections at large. Early exploits, like the Brain and Lehigh University viruses, were distributed whenever people shared their floppy disks or inserted them into shared workstations. No auxiliary hardware is required in the dissemination of email and IM worms, but both still require a user to be baited into doing something they probably shouldn’t do. This includes:
Accessing messages which appear to have come from a contact in the user’s buddy list.
Downloading attachments (or clicking on links) that appear to be harmless.
Submitting Personally Identifiable Information (PII) to websites that appear to be legitimate.
Each of these tasks are a form of social engineering. They hack the natural social experience of communicating and sharing information.
Rise of the IM Worm
The first IM worm was discovered some time in 2001 but wasn’t taken seriously until late 2005. It is possible this was due to the peak of email viruses at the time, and a slew of instant messaging programs, like the Hello Worm and Choke Worm, that weren’t patently malicious. Whatever the case, this four-year lapse in judgment led to the first major outbreak in the Netherlands, disseminated through Microsoft’s now-defunct MSN Messenger app.
Using a strategy similar the one seen in the Anna Kournikova email virus, the message used to spread the worm was coupled with a malformed file attachment: A WMF image named Xmas-2006 FUNNY masked as a JPG image file.
But this wouldn’t be the only threat to rear its ugly head. Yahoo Messenger, ICQ (I Seek You) and AOL Instant Messenger (AIM) were other popular services that saw their platforms compromised with worms. Every developer has their own specific reason for creating them. While the WMF exploit was likely for the sport, it is common knowledge that the masterminds behind the Bropia and Kelvir worms were financially motivated.
Identifying an IM Worm
The decrease in IM Worm infections in recent years should not imply they no longer exist or pose a threat to the current digital landscape. It is crucial for users to be able to identify and mitigate the symptoms of these pesky Internet plagues. IM Worms today are much more sophisticated than their predecessors and could potentially impact an array of networks—not just one.
For example, 2001’s Choke Worm is remembered as one that specifically used the MSM Messenger app as a host. The worm itself weighed less than 1/25 of a megabyte and would simply replicate. It invoked whenever an unassuming user instant messaged a client that was infected, replying with a text message that prompted the sender to download a malicious file. One could argue that the discontinuation of MSM Messenger, through its merging with the Skype application, provided the intrinsic benefit of curbing the Choke Worm.
The SoFunny Worm is another example of a targeted IM worm. Its host of choice was AOL Instant Messenger, and like the Choke Worm, met its demise with the termination of the service. The AIM platform was notorious for its vulnerabilities and the SoFunny Worm took advantage of this by stealing login information. It avoided entry in the Windows Task Manager service, where it could easily be terminated, by disguising itself as a background operating system service.
IM and Email Worm Mitigation
As seen above, a commonality among email and instant messaging worms are the messages they send. They often appear to be from someone you know, but the content of the message is usually broad and out of the sender’s character. The messages will also contain links to external pages and resources. Many users are baited into clicking on these links because of the rapport established between them and the sender, who at this point has been compromised.
Historical data shows that phishing and mass-distributed spam are the results of worm-like infections. Therefore, most antivirus (AV) products are able to curb and remove worms that have been identified. In other cases, removal tools are created for specific worms, as is the case with IM-Worm.Win32.Yahos.hl. This threat was highly dangerous in its time and impacted a computer’s operating system and network environment.
Regardless of the tool you use to remove an IM Worm, it is recommended you do so in either Safe Mode or Safe Mode with Networking. Please review our entry on Safe Mode for more information on this.
Modern computer worm infections, spread through the likes of email and instant messaging clients, are mostly electronic and require no supplementary hardware or physical media. The exploitative process, however, still hinges upon the naivety of users. But with sound knowledge of how to avoid and remedy such threats, users can prevent the extent of damage caused by IM worms and continue to enjoy safe online communication experiences.