Oct 7, 2004 3:30 PM PDT    Text size: 

Anti-virus company PandaLabs said that the Noomy.A worm “could represent a new trend in malicious code techniques,” according to a recently issued release.

“Many malicious codes use IRC servers to carry out their actions,” said Luis Corrons, head of PandaLabs. “However, in most cases they act as an intermediary between the hacker and the virus to gain remote access to affected computers and carry out malicious actions.”

“The way in which Noomy.A uses social engineering to trick IRC users seems to be an attempt to open a new means of virus propagation,” Corrons said.

The worm, written in Visual Basic, spreads itself by creating an HTTP server on infected computers and creates a large number of files with names like “jennajamisondildohumping.scr,” “gta3grack.exe,” anakurnikovavirualgirl2004.scr” and “ageofempires2crack.exe” in a Windows system director subfolder. Each of these files is a copy of the worm.

The program then connects to several different IRC channels and begins to send messages in an attempt to entice users to download the files. Messages can include, “want hot chix as ur screensave? Be sure to visit my private server while im online,” and, “see funny video of naked Bush while his drunk.”

The messages also contain links pointing to the worm’s HTTP server.

Once users connect to the server, they are greeted with different pages created using several style sheets embedded in the worm.

Noomy.A also searches for email addresses in .dbx, .htm, .html and .php files and then sends itself as an attachment to those addresses.

The worm is programmed to launch denial of service attacks against websites belonging to Microsoft and several other software developers.