NOTICE: Instant Messages Can Spread Download.Ject

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

A Download.Ject-style worm which spreads through instant messages is
spreading across the Net, according to intrusion prevention firm PivX.

The as-yet unnamed worm arrives as an innocuous looking instant message
on AIM or ICQ which says: "My personal home page http://XXXXXXX.X -
XXXXXX.XXX/". This link takes users to a one of a number of sites hosted
in Uruguay, Russia and the US, from which a Trojan horse program is
downloaded. These websites contains exploit code designed to infect
surfers by taking advantages of a variety of well known IE exploits
(such as Object Data, Ibiza CHM and MHTML Redirect).

Infection will modify a user's home page to a site called TargetSearch.
The setting of an infected user's browser will also be changed to open
up several browser windows displaying adult advertisement and referral
links every time IE is loaded, according to preliminary analysis of the

The scope of the worm's spread is unclear but early analysis hasn't
revealed any of the key logging features that made the original
Download.Ject worm such a menace.

On 24 June many websites running IIS 5 were infected with malicious
JavaScript code called Download.Ject. Websites running the latest
versions of Microsoft IIS were unaffected. Users visiting a website
contaminated with Download.Ject activated a script that downloaded a
Trojan horse (called Berbew) from a website in Russia.

Acting with law enforcement authorities, Microsoft was able to rapidly
shut down the Russian website, but the affair still highlighted security
concerns with IE. Security clearing house US-CERT took the extraordinary
step of advising users to ditch IE in favour of alternative browsers.
Microsoft has since fixed the underlying flaw that Download.Ject

PivX Labs has notified anti-virus vendors so that they can create
signatures to defend against the latest threat, which is nowhere near as
serious as the original Download.Ject worm. /

(Remove 999 to reply to me)

Site Timeline