Jitux has begun to spread through MSN Messenger, while Quis wreaks Christmas-themed mayhem on Windows PCs

Antivirus experts are warning of a destructive, Christmas-themed email worm and a virus that spreads via MSN Messenger, the popular instant-messaging application.

The Jitux.A worm is not destructive but has already begun to spread via MSN Messenger, according to Panda Software. When executed, the file becomes resident in memory and sends messages to other MSN Messenger users every five minutes, prompting them to download the worm's code, contained in a file called jituxramon.exe.


The worm started to spread more rapidly on Friday, affecting mainly Portugal, Spain and Mexico, said Panda Software. It affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP. Users can remove the worm simply by scanning their PCs with antivirus software that has up-to-date virus definitions, from Panda, Symantec, McAfee or others.


A more dangerous worm is PE_QUIS.A, according to antivirus company Trend Micro; it is also called W32.HLLP.Belzy@mm by Symantec and has been detected in the past few days by several other firms. Quis spreads itself via Outlook as an email containing a destructive payload. The worm affects Windows 95, 98, and ME.


The worm infects all .exe files in the My Documents and C:\progra~1\mirc folders. Among its less disruptive effects, it overwrites ringtone files (using the extension .rtx) with the tune "Jingle Bells" and subjects the user to a quiz.


The worm arrives in an email with the subject line, "Merry Christmas!" The body reads: "You've probably received enough e-cards. Here's a nice Christmas screensaver instead smile ," and the message carries an attachment called xmas.scr.


Removal involves identifying infected files with an antivirus program, deleting them and then undertaking the tricky process of removing autostart entries from the registry. Detailed instructions can be found on Trend Micro's Web site. Updated virus definitions can be obtained from Trend Micro, Symantec and others.


When an infected system is restarted, Windows automatically runs an application called "startup.exe", which begins by informing the user that the PC is infected. The pop-up message reads, in part: "Your computer is infected with Win32.HLLP.Quizy. However, if you complete the quiz, you may be able to disinfect it."


The quiz contains such seasonal questions as "which animal would Santa have if he actually existed?" (reindeer) and "Which season do I hate the most?" (winter). The virus writer's nationality is signposted in some questions, such as, "In which country do I live?" (Belgium) and "Which keyboard layout is used in Belgium?" (azerty).


Other questions are technical, such as, "which chipset does a U.S. Robotics 22Mbps Wireless PC Card have?" (acx100), or whimsical, such as, "what does antivirus person Graham Cluley have between his toes?" (cheese).


Upon completion of the quiz, the program executes the infection code again, and directs the user to a Web site which promises information on how to remove the worm.

ZDNet


Good artists copy, great artists
steal.

-Picasso