As part of its infection routine, Noony.A sets up an HTTP server on impacted systems, populating it with provocatively named files that actually contain the worm's code. According to PandaLabs, the filenames used include 2004serials.pif, Ageofempires2crack.exe, AgeOfMythologyISO.exe, AnaKurnikovaVirualGirl2004.scr, and many others.
Noony.A then connects to various IRC channels and posts messages designed to entice IRC users into visiting the miscreant server and download the infected files. Example of the messages include:
- - everyone interested in the newest cracks can visit my private server while im online there's other things on it too
- download Britney Spears virual girl screensaver at my private server while im online
The posted messages include links to the rogue HTTP servers. Those who click on the links will inadvertently download copies of the worm.
Leading to temptation
"Many malicious code use IRC servers to carry out their actions," explains Luis Corrons, head of PandaLabs. "However, in most cases they act as an intermediary between the hacker and the virus to gain remote access to affected computers and carry out malicious actions. The way in which Noomy.A uses social engineering to trick IRC users seems to be an attempt to open a new means of virus propagation. For this reason, users must be on the alert, ignoring any messages that offer content they have not asked for, whatever Internet service they are using."
Robert Freeman, an expert of P2P threats and the Senior Malcode Analyst for Internet Security Systems, concurs, "Social engineering poses the greatest ongoing threat to computer security. Noony.A's use of IRC to lure users into infecting their computers is novel. Users should be skeptical of any unsolicited offerings in addition to any freebies that otherwise sound too good to be true."
Freeman is author of Next Generation Peer-to-Peer Threats: From Wild to Mild, presented at the 14th annual Virus Bulletin conference. In his paper, Freeman notes that the most popular method for infection is by sharing files that seem enticing, capitalizing on users' penchant to obtain movies, music, and software for free.
Not an idle threat
Propogation is only one aspect of the worm. Noony.A also attempts to shutdown antivirus and security processes found running on infected systems - leaving systems vulnerable to future threat - and launches a denial of service (DoS) attack against others, including Microsoft.
When it comes to computer security, the old adage has never rung more true: if it sounds to good to be true, it is too good to be true.
