BitDefender has found an aggressive worm spreading via instant messenger (IM) that allows an attacker to install malware, steal passwords, or launch spam to IM contacts.

Click to enlarge

Called Palevo, this worm is spreading via network and removable USB drives using the Autorun feature. When an infected USB stick is inserted into a computer with Autorun enabled, the machine becomes automatically infected.

The unsolicited messages on IMs prompt recipients to click a link accompanied by a grinning smiley face emoticon, which purports to lead them to images hosted online.

“Instead of opening the image collection, users are tricked into saving what seems to be a .JPG file which is, in effect, an executable concealing the malicious payload – Worm.P2P.Palevo.DP,” said the company.

The worm then creates several hidden files in the Windows folder: mds.sys, mdt.sys, winbrd.jpg, infocard.exe, whilst modifying registry keys to point towards these files in order shut down the operating system’s firewall.

It is then capable of intercepting passwords and log-ins that are either stored or entered into Mozilla Firefox and Microsoft Internet Explorer Web browsers. The worm also affects users of peer-to-peer sharing platforms by adding its code to shared files. Platforms at risk include Ares, BearShare, iMesh, Shareza, Kazaa, DC++, eMule and LimeWire.

BitDefender’s Senior Researcher, Catalin Cosoi said, “We recommend IM users to be extremely cautious of links they receive in an instant message, particularly if they point towards either a file or web link download. It’s worthwhile to double-check the legitimacy of the message with the sender before opening a link, in order to confirm whether they had purposely sent the message themselves.”