FOSTER CITY, Calif., Sept. 22 /PRNewswire/ -- Research experts at FaceTime Security Labs(TM), the threat research division of IM and greynet security leader FaceTime Communications, have discovered a new IM-borne threat targeting MSN Messenger users with a link that opens up a Web site that leads users to click on a "virtual card waiting for you." Users who click on this link see an image of a heart with a poem in Portuguese. The threat, known as W32.heartworm.a, installs files to steal a user's banking and personal data.

"The perpetrators have made a calculated move to tie this attack into numerous Web hoaxes, possibly to confuse infected users looking for help online," said Chris Boyd, director of malware research for FaceTime Security Labs. "Not only do they open up an image of a heart from a site dedicated to tackling online hoaxes, they also apparently named the attack after another online hoax -- a virtual card for you -- that has been in circulation since 2000. In this case, you really do receive a virtual card, but with a nasty additional 'bonus.'"

The infection spreads by running a file in circulation on Russian Web hosting sites claiming to offer a "virtual card" -- when the file is run, a picture of a heart containing a poem is launched, and the infected user will pass the infection link to their contacts on MSN Messenger with the phrase "olha o que eu fiz pra vc....curti ai...[url removed]

"The files are related to a certain strain of banking data Trojan particularly prevalent in Brazil, and are similar to those in the MW.Orc worm that plagued Google's Orkut social networking site earlier this year. (http://www.facetime.com/pr/pr060619.aspx )

Wayne Porter, senior director of special research at FaceTime Security Labs comments, "This is a form of cultural camouflage which we call 'hoax cloaking.' It is a defensive construct that adopts the very lore, memes, myth and culture of the Internet to serve as a self-preservation and cloaking mechanism. People using trusted search engines to verify the message will find most reputable security companies and hoax-debunking sites confirm it as a myth and disregard it as harmless."

Boyd, Porter and the FaceTime research team offer a detailed accounting of the W32.heartworm.a at http://blog.spywareguide.com/ .

Who is affected: Users of MSN Messenger instant messaging service, recently renamed Windows Live Messenger

Threat Type: Worm Risk Level: Medium How to protect against this threat

The initial file has the potential to infect MSN Messenger's more than 266 million users worldwide. (Instant Messaging Market Report, 2006-2010, The Radicati Group) Users can protect themselves by not clicking on links sent to them by other users, even if users appear on their contact list. Currently, most commonly used anti-virus programs do not provide protection from W32.heartworm.a.

Companies that use FaceTime Enterprise Edition and IMAuditor and have auto-update features activated are automatically protected against this threat. FaceTime also recommends activating the Day Zero Defense System within IMAuditor. The system utilizes anomaly detection techniques to analyze multiple characteristics of IM-borne worms and other malicious code against normal behavior, and provides patent-pending protection against many IM threats - in addition to traditional security signatures. FaceTime RTGuardian customers are automatically protected if they have auto update features enabled. FaceTime's X-Cleaner customers (formerly XBlock) should download the latest update and scan their PC for the worm.

About FaceTime Communications

FaceTime enables the safe and productive use of greynets like instant messaging, VoIP, Web conferencing and P2P file sharing. FaceTime Security Labs delivers the industry's first IMPact Index, which assesses "point-in-time" risks posed by viruses, worms and other malware propagating through greynet applications. FaceTime's award-winning solutions are used by more than 800 customers, among them nine of the ten largest U.S. banks. FaceTime supports or has strategic partnerships with all leading public and private IM network providers, including AOL, Google, Microsoft, Yahoo!, IBM, Reuters, Bloomberg, and Jabber.

FaceTime is headquartered in Foster City, California. For more information visit http://www.facetime.com/ or call 888-349-FACE.

NOTE: FaceTime, FaceTime Communications, IMAuditor, RTGuardian, GEM, Facetime Enterprise Edition, FaceTime Security Labs, IMPact Index, SpywareGuide.com, X-Cleaner and the FaceTime logo are registered trademarks and trademarks of FaceTime Communications, Inc. Other trademarks and registered trademarks are the property of their respective owners.

Contact: Emily Chamberlin of A&R Edelman, +1-650-762-2945, or echamberlin@ar-edelman.com, for FaceTime.

CONTACT: Emily Chamberlin of A&R Edelman, +1-650-762-2945, or
echamberlin@ar-edelman.com, for FaceTime

Web site: http://blog.spywareguide.com/

Web site: http://www.facetime.com/