SANS: GDI+ Worm Discovered For AOL Instant Messenger

Low-Risk Worm is a New Twist on Old Risk

The reliable SysAdmin Audit Network Security Institute (SANS) reports that a worm has appeared on AOL Instant Messenger that utilizes the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (MS04-028).

According to Johannes Ullrich, chief technical officer at SANS' Internet Storm Center, this sort of thing has been done in the past, except with HTML code instead of JPEG. “It is a virus, but it didn't spread very far. We've only had two reports of it,” Ullrich said. The worm, which has not been officially named, sent a message to the victim urging them to “Check out my profile, click GET INFO!”. When the profile site was visited, infected code would be downloaded on the computer, and execute the worm.

”We haven't seen any damage reports of this worm,” F-Secure's Mikko Hypponen says. “I've seen some discussion, but our best estimate is that it hasn't got very far.”

Getting a user to visit an infected web page or downloaded an infected file via instant messengers is not a new trick among virus makes, though. It has been around since the first instant messenger-based threat, the Fleming worm, was isolated in October 2002.