W32.Velkbot.a – IM Virus

W32.Velkbot.a when executed sends a message to all MSN Messenger, Yahoo Messenger, and AIM contacts on the compromised computer. The message is as follows:
“rofl
http://albound.com/pictures.php /r[email_address]”
The recipient must click on the link and download/execute the file to become infected.
Once infected you’ll have %system%\winmsg.exe along with the usual run registry keys.
Additional bits of fun:
disables task manager and the regedit.
Connects to an irc server at afil.canadiangov.info and waits for commands.
They can do pretty much whatever they want at that point.
Links:
http://www.symantec.com/avcenter/venc/data/w32.velkbot.a.html
I can see how this is listed as high severity and high impact. But the contagion potential doesn’t seem that high. It relies on one website that is likely shut down by now. If you are going to rely on a distribution mechanism that can be shut down hit your targets monday morning, not saturday night. During the week you’ll get the office workers.
This virus is of concern because it is sending IMs to all buddy lists on the top three networks instead of just targeting MSN. Also the mesage likely comes from someone you know (strangers generally dont have me on their buddy list, and people can only contact me if they are already on my list).