Volume 1, No. 4 October 19 2004

Noomy.A virus spreading via chat rooms

Noomy.A then connects and logs on to different IRC channels as if it were a user, and starts sending messages to different chat rooms.The messages use social engineering techniques to get users' attention, offering attractive content to trick them into downloading files to their computers.

Two examples of these messages are: "Everyone interested in the newest cracks can visit my private server while I'm online, there's other things on it too" and "Download Britney Spears virtual girl screensaver at my private server while I'm online".
The messages contain links that point to the servers created on affected computers. If a user clicks on the link, a page will open which pretends to download the files offered in the chat channel. But these are actually infected files created by Noomy.A.

In order to make the pages more realistic, the worm incorporates several style sheets in the servers it generates on affected computers. So a different page will be displayed even if a user connects to the same web address several times.

Noomy.A also terminates the processes of different antivirus and security tools, allowing it to carry out its actions without hindrance. This leaves the PC vulnerable to attack from other internet threats.
The worm also spreads via email in messages with extremely variable characteristics, as the subjects and message texts are selected at random from a long list of options. The name of the attachment, which contains the worm's code, is also selected at random.

If the user runs this file, Noomy.A will send itself to all the addresses it finds in the files on the affected computer with a .dbx, .htm, .html or .php extension, except to those that contain certain strings.

Noomy.A is also programmed to launch denial of service attacks against the websites of different software developers, including Microsoft.

"A lot of malicious code uses IRC servers to carry out their actions," explained Luis Corrons, director of PandaLabs.
"However, in most cases they act as an intermediary between the hacker and the virus to gain remote access to affected computers and carry out malicious actions.

"The way in which Noomy.A uses social engineering to trick IRC users seems to be an attempt to open a new means of virus propagation.

"For this reason users must be alert, ignoring any messages that offer content they have not asked for, whatever internet service they are using."

Trustix Antivirus - Secure your computer against internal and external attacks $39.99 only

Copyright © 2009 COMODO Group. All Rights Reserved. Comodo Inc. 200 Broadacres Drive, 2nd Floor, Suite 100, Bloomfield, NJ 07003 USA Tel. 1-888-COMODO-1 (1-888-266-6361) Fax: + 1.201.963.9003 Canadian Tel Sales: +1 877 80 32 556