Around the end of August we started to see the next logical step in the evolution of IM malware.
People were complaining about a new IM-Worm. The message which the user receives is actually a link, which when clicked takes the user to a site where a specific piece of IM related software can be downloaded.
There is a single executable which is responsible for spreading these promotional links for this software site across the AOL, MSN and Yahoo instant messaging networks. You guessed it, the first AdWare which spreads via IM.
But it gives rise to a very interesting question: are we dealing with AdWare or with an IM-Worm?
The EULA for the IM related software does explicitly state that this software will send messages to all contacts in the user’s IM client. Because of this, and the way in which the program spreads, it could be classified as AdWare. However, the executable file is designed purely to spread the site link, and it doesn’t warn the user of its behaviour.
We therefore decided to classify this file as an IM-Worm. We may see similar files in the future and these files might be classified differently because of the way in which they behave.
The company has now changed its policy, and is offering the IM related software without this feature. Why, we don’t know. But there is nothing to stop other vendors picking up on this approach and using it to promote their products.