'Warhol' porn worm warning

A 'Warhol' worm is terrorising users of Microsoft's Instant Messenger, and directing them to a porn site featuring malicious script.

A discussion thread on nerd news website Slashdot yesterday warned MSN Messenger users to beware of messages recommending them to go to the site at masenko-media.net/cool.html.

Clicking on the link will open Internet Explorer and take the user to a porn site that features a malicious script which exploits a known hole in the browser and hijacks the viewer's MSN Messenger contact list, sending the link to all the addresses it finds.

Microsoft issued a warning yesterday which read: "If you receive an unsolicited instant message directing you to go to an unknown website, please do not click on the link." Apparently a number of sites are using this malicious technique, not just masenko-media.net.

The software giant has released an update for MSN Messenger that addresses this issue. The latest six barrel patch for Internet Explorer should also close the hole.

This exploit has been dubbed a Warhol worm based on its ability to obtain a critical mass in a short amount of time, effectively gaining its "15 minutes of fame".

The worm overcomes the typical problem of obtaining its initial critical mass of infected hosts by quickly generating a 'hit list' of a few thousand vulnerable machines which have access to a few thousand more machines.

But some Slashdot posters are sceptical. One said: "First off, this is not a virus. It's an Internet Explorer exploit allowing access to your Messenger contact list and other Messenger functions.

"As the post noted, it is fixed with the latest IE patch. The actual problem was with IE's document.open scripting object, and how it was able to access local system objects from websites. This is not a problem with Messenger at all."

Microsoft has come under heavy fire for taking almost a month to release a patch fixing the vulnerability. Details are available here. The Microsoft advisory can be found here.