MSN Messenger users are again the victims of a chat application worm. Known by a few different names--Troj_Brain.A, W32.Choke.b, W32.NewPic, Worm.JerryMsg--this MSN Messenger worm will infect anyone contacting an infected PC by asking if the user wants to see a new picture. If the correspondent says Yes, the worm then sends a copy itself via MSN Messenger. If chat application other than MSN Messenger is used to contact the infected PC, the worm might install on the new PC but it will not spread to others. MSN Messenger users were victims in June of the tasteless Choke worm. This latest MSN Messenger worm is not destructive, and even contains its own removal instructions. Because of its limited infection capabilities and relative harmlessness, this MSN Messenger worm only ranks as a 2 on the ZDNet meter.

How it works
The worm arrives via MSN Messenger as a file called PIC1324.EXE. If executed, the worm then displays an Error message box with the following text:

[an error occurred while processing this directive]

"Cannot open file. May be corupted. Replace the file with a new one and try again".

The worm then installs itself to run every time the computer is booted. The worm appears in the task manager as MsgSprd. The worm monitors chats on MSN Messenger and will attempt to engage anyone who contacts the infected computer with the following exchange:

hey, want me to send my new pic? i took it yesterday

Depending on the response, the worm will send the file with the following text:

The worm does no damage and its own removal instructions can be found in a file located at C:Messenger1324Brain1Read Me.txt. The text file reads:

I come in piece. My name is Jerry. The purpose of me is to spread. I'm not annoying, nor dangerous.

How to remove me:
1) Click Start, select Run. The Run dialog box pops up.

2) Type: msconfig The System Configuration Utility pops up.

3) Click the Startup tab at the top. In the list, find MsgSprd, Messenger, or pic1324, uncheck, press Apply, then press Ok.

4) Restart your computer Or press Ctrl - Alt - Del, select MsgSprd from the list, then press End Task.

You may freely delete the files or the 'C:Messenger1324' directory.

Removal
Almost all the antivirus software companies have updated their signature files. For more information on removing this MSN Messenger worm from your system, see Central Command, McAfee, Symantec, and Trend Micro.

Prevention
Here are the basic steps for containing the latest MSN Messenger worm:

1. Read the Microsoft statement regarding MSN Messenger and worms. Microsoft has issued the following statement regarding chat application viruses in general.

2. Secure your communications. Download one of these Central Command products designed for ICQ, MSN Messenger, Yahoo! Instant Messenger, mIRC, and NetMeeting.

3. Protect your PC. If you don't already have virus protection software on your PC desktop, you should. If you're a home or individual user, it's as easy as downloading any of these top-rated programs then following the installation instructions. If you're on a network, check with your network administrator first.

4. Scan your system regularly. If you're just loading antivirus software on your desktop for the first time, it's a good idea to let it scan your entire system. It's better to start with a clean and problem-free PC. Often the antivirus program can be set to scan each time the computer is rebooted or on a periodic schedule. Some will scan in the background while you are connected to the Internet. Make it a regular habit to scan for viruses.

5. Update your antivirus software. Now that you have virus protection software installed, make sure it's up-to-date. Some antivirus protection programs have a feature that will automatically link to the Internet and add new virus detection code whenever the software vendor discovers a new threat. You can also scan your PC for the latest security updates here.

To stay up-to-date on the latest virus alerts and solutions, bookmark our Virus Protection Guide.

[an error occurred while processing this directive]