Three new worms threaten instant messaging users,
while the cyber-war between virus authors continues -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, March 7, 2005 - Virus creators are continuing to demonstrate their
interest in instant messaging as a rapid means of spreading malicious code.
PandaLabs has detected the appearance of three new worms -Kelvir.B, Kelvir.C
and Fatso.A- programmed to spread via MSN Messenger.

The new Kelvir worms reach computer in messages with texts like: omg this is
funny! (Kelvir.B) or lol! see it! u'll like it (Kelvir.C), which include a
link to an Internet address. If the user clicks on this link, files
containing the code of these worms will be downloaded and installed on the
computer.

These then send new messages to the contacts in MSN Messenger. At
the same time, they download variants of the Gaobot or Sdbot Trojans from
another web address.

These Trojans allow a hacker to gain remote control of the affected computer
through IRC chat channels.

It is important to mention that all of the web pages from which the Kelvir
worms or the Sdbot or Gaobot Trojans are downloaded have already been
blocked, preventing them from continuing to spread.

However, Panda Software's international tech support network detected,
up until then, that Kelvir.B and Kelvir.C had spread widely to users'
computers worldwide.

The Fatso.A worm sends messages containing links to a page from which a file
containing a copy of its code is downloaded and run. When it gets into a
computer, it sends itself to all the contacts in MSN Messenger and downloads
other files to the system root directory.

These files can have names like:

Annoying crazy frog getting killed.pif
Crazy frog gets killed by train!.pif
Fat Elvis! lol.pif.

This worm is also capable of spreading through P2P applications like KaZaA.

To do this, it creates copies of itself in the shared directories used by these
programs.

Fatso.A also ends the processes of various security programs running in
memory, leaving the computer vulnerable to other possible attacks.

What's more, Fatso.A continues with the cyber-war between virus authors that
started with the appearance of the Assiral.A worm, which showed a text
attacking the Bropia worms. In response, Fatso.A creates a file called
Message to n00b LARISSA.txt on affected systems, which contains an
unfriendly message to the Assiral author and signed by someone called
Skydevil.

Luis Corrons, head of PandaLabs, warns: "It is probable that new worms that
spread via MSN Messenger will appear over the next few hours, and therefore,
it is highly recommendable to take precautions with messages received
through this application.

The situation is getting more dangerous for users of instant messaging
applications. As well as these new malicious code, the 20 variants of the
Bropia worm and the two variants of the Stang worm detected over the
last few days also use this means to spread.

What's more," he adds, "cyber-criminals are showing a growing interest in instant
messaging and there is a tendency to launch blended threats. The two new
Kelvir worms, for example, not only aim to spread as widely as possible but
also try to install other malware on computers. These could be used to carry
out all kinds of actions, such as online fraud using confidential data
stolen from affected computers."

Due to the possibility of receiving malicious code through instant messaging
applications, Panda Software advises users to have reliable, updated
anti-malware installed, and to be wary of all messages received, regardless
of the source. Panda Software clients already have the updates available to
detect and disinfect these new worms and the other malicious code that use
instant messaging to spread.

Panda Software's clients can already access the updates for installing the
new TruPrevent(tm) Technologies along with their antivirus protection,
providing a preventive layer of protection against new malicious code. For
users with a different antivirus program installed, Panda TruPrevent(tm)
Personal is the perfect solution, as it is both compatible with and
complements these products, providing a second layer of preventive
protection that acts while the new virus is still being studied and the
corresponding update is incorporated into traditional antivirus programs,
decreasing the risk of infection. More information about TruPrevent(tm)
Technologies at: http://www.pandasoftware.com/truprevent

In addition, users can scan their computers online for free with Panda
ActiveScan available at http://www.pandasoftware.com

For further information about the Kelvir, Fatso, Assiral, Bropia and Stang
worms visit Panda Software's Virus Encyclopedia at
http://www.pandasoftware.com/virus_info/encyclopedia/