A new version of the worm that spread from infected Microsoft web servers in June has been identified and is using instant messages and infected websites in Russia, Uruguay and the USA to spread itself, according to one security company.
Researchers at PivX Solutions of California, have intercepted new malicious code closely resembling that from widespread attacks in June attributed to a worm named "Scob" or "Download.ject."
The new attacks use mass-distributed instant messages to lure internet users to websites that distribute malicious code similar to Download.ject, says Thor Larholm, senior security researcher at PivX.
This wave of attacks works similarly, routing victims to websites with code that takes advantage of vulnerabilities in Microsoft Internet Explorer and Outlook.
Though Microsoft has patched those vulnerabilities, the attackers are attempting to exploit unpatched systems. Two patches from 2003, MS03-025 and MS03-040M, address the flaws used by the new worm, Larholm says.
The attacks begin with instant messages sent to people using America Online's AOL Instant Messenger or ICQ instant messaging program. The messages invite recipients to click on a link to a web page, with pitches such as "Check out my new home page!" The messages could appear to be sent from strangers or from regular IM correspondents, or "buddies," Larholm says.
Once victims click on the link, they are taken to one of a handful of attack web pages hosted on servers in Uruguay, Russia and the USA. There, a Trojan horse program is downloaded.
In addition to opening a "back door" on the victim's computer through which additional malicious programs can enter, the new attacks change the victim's web browser home page or Outlook e-mail search page to websites featuring adult content, Larholm says.
PivX is still analysing the attacks to see if malicious code is placed on victims' machines.
However, many of the files used by the new worm and the way the attacks occur point to the same group that launched the Scob attacks in June, Larholm says.
"The code is different enough to be something of its own, but unique enough to be related," he says. "And as with the Scob attacks, this is all about money – in this case, driving ad revenue for specific people."
PivX has informed antivirus companies of the new malicious code, Larholm says.