A Download.Ject-style worm which spreads through instant messages is spreading across the Net, according to intrusion prevention firm PivX.
The as-yet unnamed worm arrives as an innocuous looking instant message on AIM or ICQ which says: "My personal home page http://XXXXXXX.X-XXXXXX.XXX/". This link takes users to a one of a number of sites hosted in Uruguay, Russia and the US, from which a Trojan horse program is downloaded. These websites contains exploit code designed to infect surfers by taking advantages of a variety of well known IE exploits (such as Object Data, Ibiza CHM and MHTML Redirect).
Infection will modify a user's home page to a site called TargetSearch. The setting of an infected user's browser will also be changed to open up several browser windows displaying adult advertisement and referral links every time IE is loaded, according to preliminary analysis of the worm.
The scope of the worm's spread is unclear but early analysis hasn't revealed any of the key logging features that made the original Download.Ject worm such a menace.
Acting with law enforcement authorities, Microsoft was able to rapidly shut down the Russian website, but the affair still highlighted security concerns with IE. Security clearing house US-CERT took the extraordinary step of advising users to ditch IE in favour of alternative browsers. Microsoft has since fixed the underlying flaw that Download.Ject exploited.
PivX Labs has notified anti-virus vendors so that they can create signatures to defend against the latest threat, which is nowhere near as serious as the original Download.Ject worm. ®