Noomy.A Virus Spreading Via Chat Rooms

Oct. 8, 2004
Security experts have warned internet users to update their antivirus systems to protect against a newly discovered worm dubbed Noomy.A

Security experts have warned internet users to update their antivirus systems to protect against a newly discovered worm dubbed Noomy.A, which "could represent a new trend in malicious code techniques".

PandaLabs said that, although this sophisticated and dangerous worm has not yet spread significantly in the wild, it has a series of unusual but potentially effective characteristics to propagate itself through Internet Relay Chat (IRC).

Written in Visual Basic, the worm creates an HTTP server on affected computers and generates a large number of files containing copies of its code.

The names of these files, designed to tempt unwary users into believing that they are software cracks, include '2004serials.pif', 'Ageofempires2crack.exe', 'AgeOfMythologyISO.exe' or 'AnaKurnikovaVirualGirl2004.scr', among many others.

Noomy.A then connects and logs on to different IRC channels as if it were a user, and starts sending messages to different chat rooms.

The messages use social engineering techniques to get users' attention, offering attractive content to trick them into downloading files to their computers.

Two examples of these messages are: "Everyone interested in the newest cracks can visit my private server while I'm online, there's other things on it too" and "Download Britney Spears virtual girl screensaver at my private server while I'm online".

The messages contain links that point to the servers created on affected computers. If a user clicks on the link, a page will open which pretends to download the files offered in the chat channel. But these are actually infected files created by Noomy.A.

In order to make the pages more realistic, the worm incorporates several style sheets in the servers it generates on affected computers. So a different page will be displayed even if a user connects to the same web address several times.

Noomy.A also terminates the processes of different antivirus and security tools, allowing it to carry out its actions without hindrance. This leaves the PC vulnerable to attack from other internet threats.

The worm also spreads via email in messages with extremely variable characteristics, as the subjects and message texts are selected at random from a long list of options. The name of the attachment, which contains the worm's code, is also selected at random.

If the user runs this file, Noomy.A will send itself to all the addresses it finds in the files on the affected computer with a .dbx, .htm, .html or .php extension, except to those that contain certain strings.

Noomy.A is also programmed to launch denial of service attacks against the websites of different software developers, including Microsoft.

"A lot of malicious code uses IRC servers to carry out their actions," explained Luis Corrons, director of PandaLabs.

"However, in most cases they act as an intermediary between the hacker and the virus to gain remote access to affected computers and carry out malicious actions.

"The way in which Noomy.A uses social engineering to trick IRC users seems to be an attempt to open a new means of virus propagation.

"For this reason users must be alert, ignoring any messages that offer content they have not asked for, whatever internet service they are using."