An MSN Messenger worm exploits a recently patched vulnerability in Internet Explorer. CoolNow (JS.CoolNow.A, also known as JS.Menger.A and JS.Exploit-Messenger.A) arrives as an "Urgent" message from a "buddy" who asks the user to click the attached Web site URL. The sites used in this person's exploits have since been removed. Once the user visits the infected Web page, a new round of instant messages are sent. Since CoolNow does not damage a user's computer or use e-mail to spread, it ranks a 2 on the ZDNet Virus Meter.
How it works
CoolNow is a JavaScript code that takes advantage of a known flaw in Internet Explorer. The body of the worm exists on one of several Web pages (now shut down). When a user attempts to view the infected Web page, the malicious code is downloaded onto the user's computer. If the user's infected machine is running MSN Messenger, CoolNow attempts to reference the class object identification for creating a Messenger object and the Messenger application itself. Once successful, CoolNow then attempts to send the URL of the worm code to other MSN contacts found on the user's machine.
Prevention
CoolNow uses a known script vulnerability in Internet Explorer 5.01, 5.5, and 6 that, in this case, also affects MSN Messenger. This vulnerability has been patched, and users are encouraged to download the patch issued by Microsoft on February 12, 2002.
Removal
Almost all the antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Kasperksy ,McAfee, Norman,Sophos, Symantec, and Trend Micro.
[an error occurred while processing this directive]
