A Trojan spreading through MSN Messenger is posing as files from known or unknown contacts and also searches for virtual instances running on the PCs.
The as-yet-unnamed Trojan horse began hitting systems about 7 a.m. EST on Sunday, according to Roei Lichtman, the director of product management at Aladdin Knowledge Systems Ltd. "We still haven't found what it's meant to do, but at the moment, it's creating an army [of bots]," he said. "Eventually, of course, the operator will send commands to do something."
Users of Microsoft's Windows Live Messenger instant messaging program receive a message that includes spoofed Zip files, such as one named "pics" that is actually a double-extension executable in the format "filenamejpg.exe" or a file labeled "images" that in reality is a .pif executable.
Not only is the propagation of the malware via Messenger very fast, but its ability to search and infect the virtual instances is evidence of a scary trend in malware evolution.
"A lot of malware has the ability to run in a virtual machine, work out it's in a virtual session, then completely shut down," said David Marcus, security research manager for McAfee Avert Labs. "It's not a large jump to go from malware realising it's in a session to it jumping out."
Marcus also warned that VoIP, or Internet telephony, would also be a target in 2008.
"We think we'll end up seeing theft-of-service attacks, like old-style phreaking," said Marcus. "People will steal calls, divert calls and impersonate others."
Users are warned about clicking on the files received unexpectedly from Messenger contacts.
New Trojan scans for virtual machines (Techworld)