IMlogic, a company specializing in instant-messaging security, has issued a warning about the new IM.Myspace04.AIM worm.

The worm sends out messages that read "look at my new picture" or "why are you trying to send me a file?" Following these messages, you are sent a hyperlink to the uploadsend.com domain, a free file-hosting site, to dupe you into downloading and installing the file.

Social Engineering Run Amok

After infecting you, the bot will send new messages to addresses included in your buddy or contact list. These messages appear to be sent by you and encourage the recipient to spread the bot by downloading the same malware.

The person originally infected has no idea and no way to tell that the worm is sending out messages on his or her behalf. If recipients respond to the message from an infected user, the bot sends a message that includes, "lol no its not its [sic] a virus."

"Administrators are encouraged to educate their employees about the dangers of social engineering," the IMlogic threat report noted. "Also, they should ensure they have the latest updates from their antivirus provider."

While bot attacks via messaging systems are nothing new, industry analysts are concerned that this new variety of messaging worm with its chatty capabilities will enable hackers and those with malicious intent to spread viruses more effectively. Savvy or not, computer users are more likely to open a message or click on a link that appears to have been sent from a friend.

"I'd compare this to e-mail worms that spoof the sender," said Carole Theriault, senior security consultant at Sophos. "If an e-mail that had the e-mail address of a friend of yours in the sender field was sent to you saying 'check this out!' you might be tempted to click on the link. It is the same psychological trick being used here."

Antivirus Update Mantra

Security experts say that the best defense against all types of viruses and worms is to make certain that home computers as well as business computers have updated antivirus software.

That includes installing any security patches for both applications and the operating system , Theriault said. She also recommends turning off any unnecessary "bells and whistles."

"What's difficult about these bots is that once someone has third-party access to your computer, they can upload or download anything," said Theriault. "They can change the viruses on your machine so it's really difficult for security companies to say look out for this particular think or line of code because they can always be changed."

Instant message users might also want to consider establishing a protocol or method of greeting with their friends, said Rob Ayoub, a Frost & Sullivan analyst. That way, when instant-message users receive a message supposedly from a friend saying "click on this link," they will at least know to be suspicious.