New MSN Messenger Trojan Targets VNCs Too [updated]

eWeek reports that a new MSN Messenger Trojan is infecting hundreds of PCs per hour since it was launched yesterday. The speed of infection's a big concern, but what's even worse is how it works.

Double-Extension Blues

One of the methods this new IRC bot uses is the old double-extension trick: the Trojan executable disguises itself as a digital camera file such as DSC00452.jpg.exe. Users see the .jpg "extension" and figure all is well (some versions of this threat use a file called IMGxxxxxx.pif instead).

Trick Number Two: Contact Harvesting

The Trojan gathers contacts from infected PCs, and uses them to spread itself to new victims. In the best social-engineering tradition, users who are expecting to get a picture from a friend wind up getting infected instead.

[Corrected per updated eWeek article- see comment below]

Kicking It Up a Notch: Gunning for VNCs VMs

The infection and distribution techniques are all too familar, but the difference is that this Trojan isn't just gunning for physical PCs, but also for virtual network connections (VNCs). VNCs are widely used for remote support.machines (VMs). VMs are becoming very popular for hosting guest operating systems (Windows on MacOS, Vista on XP, etc.), in security appliances, and elsewhere.

Stop That Bot!

So, what can you do to stop this threat?

• If you use MSN Messenger, don't assume that file attachments are actually being sent by an actual friend. Don't accept a file until you check with your contact.
• Make sure your antivirus program checks IM file attachments for threats.
• Suggest your friends using MSN Messenger switch to another IM client with better security.
• If you use VNC connections, make sure you know who's on the other end of the connection.
• And, finally, "think before you click."