An adware worm called "Osama Found", which has been circulating among users of America Online Instant Messenger, is causing more aggravation than actual damage.
Network Associates said the worm, which is neither a virus nor a Trojan horse, pops up a URL link in an incoming message during an AIM session and appears to come from someone on the user's buddy list. Users who click on the URL link are sent to a web page where they are asked to download a program for an IM game application.
The problem is that once a user installs the program, it acts like a worm and sends the link to everyone on the user's buddy list. The spread is even faster than in e-mail worms because IM is real time and people can react much faster, especially when it appears that the link comes from someone they already know.
"In corporate America, that's a very bad thing if you've got customers on your buddy list and you start spamming them with this game," said Dmitry Shapiro, founder and chief technology officer of Akonix Systems, an security management supplier in San Diego. "It looks bad for your company."
Shapiro said the adware application is one of the first he's seen that's using IM to distribute itself instead of e-mail. Last month, another worm, Jitux.a, spread itself through IM clients, but it was not adware, he said.
"Think of it as spam gone crazy," Shapiro said. "This is worm spam."
This particular worm is not a security risk in terms of malicious payloads, but variations that cause damage are possible in the future, he warned.
The adware worm for the IM game apparently comes from a company called PSD Tools, through its BuddyLinks division, according to Shapiro and Network Associates.
Officials at PSD Tools did not respond to an e-mail and could not be reached by telephone. The PSD Tools Web site states that the company was founded last year and offers "social networking software" that allows peer-to-peer communications through various IM platforms.
The company's BuddyLinks site describes its product as an "interactive game" that is sent out and promoted among the user's network of buddies.
"Please understand, our Flash games are in no way a virus," the site said. "We simply combine peer-to-peer, social networking and instant messaging into one spectacular technology."
The Buddylinks.net web site informs visitors that they can e-mail questions to the company, but it warns them not to send attachments. "Attachments are deleted by our mail server, please send links," the site states. A link is provided to get help to uninstall the game, if desired.
AOL spokesman Andrew Weinstein called the game program "clearly one of the slimiest pieces of adware we've ever seen", adding that his company was doing everything it could to stop it.
So far, the worm appears to work only on AOL's IM client, but the code appears to have the capability of being modified to work on others, Weinstein said. "We're strongly opposed to this piece of software and ... we're actively investigating both legal and technical steps to prevent its distribution."
AOL will include spyware-detection features in its next version of AIM, due out in several weeks, to fight such programs, which will scan for spyware on a regular basis and remove them, he said.
Francis deSouza, chief executive officer of IMlogic, which provides security for corporate IM users, said the Osama Found worm is the start of what appears to be a new problem in corporate communications.
"I think the whole area of viruses and spam over IM has really not been addressed," deSouza said, adding that because of the pop-up nature of IM, this is something that can become seriously disruptive for users and companies. About 5% to 17% of IM messaging today is spam, he said, according to IMlogic figures, and that can be a problem for businesses.
Todd R Weiss writes for Computerworld