There is a worm which is aggressively broadcasting itself to Windows Live Messenger users, and possibly via social networking services (MySpace, Hi5, etc.). It's known to affect users of MSN, AIM and Triton, and we have had several reports from people who were contacted by compromised hosts.

When it infects a PC, the current version of the worm sends a message in Spanish ("Yo creo que esta es tu fotografia! {URL to click on to download malware}) to all Windows Live Messenger buddies, saying that the apparent sender found a picture of them, and to click on the malicious link so as to view it.  Users who do so will be prompted to download and run a file, which simply displays a dialog titled “Windows Microsoft Viewer” with the text “Picture can not be displayed” in it. If you see that on your PC, it means it's infected.

Once it is run, it adds itself to the [HKLMSoftwareMicrosoftWindowsCurrentVersionRun] key and saves itself as %windir%winrofl32.exe.  The program itself functions as a fairly standard IRC bot and logs into an IRC channel to wait for commands from the bot herder.

ESET products detect it as Win32/Inject.NBL as of update 3387. (Thanks to Pierre-Marc and Aryeh for this information).

It's important to note that:

  • The wording, content, even the language of the message sent could change at any time.
  • The malicious program can also be changed, and almost certainlywill be, so as to make it harder for anti-malware scanners to recognize it with existing signatures.

Research Team
(This blog has been amended slightly as more information has come in.)