In the last two days I've received viruses over MSN messenger on two different occasions. Both times, they seemed to come from friends of mine. The first one was in the form of the following message and came with a simple link:

Vote for me:
http://22460.vasedrunjinsaterfuns.com/2215/67179/

At the time of this writing the link above still works and downloads a file called vote.zip. The file is not actually a ZIP archive, instead it's a simple Windows executable. Now, I don't know how people are supposed to be tricked into executing it, because simply double clicking it obviously won't do any damage, but maybe something to do with MSN users' habits of renaming .exe to .zip before sending them?

A scan of the file with the pretty good multi-engine scanner over at Virus Total found a Stration worm, which originated as an e-mail worm and is now apparently broadening it's infection horizon.

The second one was a little trickier, it actually managed to infect my boss and a co-worker of mine from whom I then received the following message, immediately followed by an incoming file request for images.zip:

Sup, seen the pictures from the other night?

A few things were obviously suspicious here:

• My friend just doesn't talk like that. As a matter of fact, few people use uppercase in IM nowadays and I think the last time somebody used "Sup" was last decade. (I may be wrong on the latter one though ...)
• The file was called images.zip yet contained only a single file. Nobody zips a single image because they can't be compressed anyway, and especially not one of some 40 kB.
• The "image" that was contained was called IMG34814.pif, with an extension that is more than suspicious, but might slip the eye of someone who hasn't been suspicious up until now.

I can hardly blame the average Joe for becoming infected with the second one, so the blame goes--*fanfare*--to Microsoft for two reasons.

1. Apparently, the current version of Windows Messenger is scriptable to an extent that is so obviously dangerous that I can't believe the functionality is still in there.

2. Despite Microsoft proclaiming Vista to be the most secure Windows ever, .pif files are still executed without warning.

The second point is especially grave for a number of reasons. Because of the nature of the PIF file format it does not contain any executable code but only meta information, so it could be easily be checked for authenticity. What's worse is that extremely few people have used .pif files ("program information files") after Windows 3.1, so either displaying a very obvious warning message or dropping the registration of the .pif extension altogether would not disrupt anyone.

If you want to disable .pif files on your system, you can use the following registry change to do so (or download this .reg file and double click it):

HKEY_CLASSES_ROOT\.pif\(Default) = "piffile_disabled"