BannerPortlet

Blogs

Yahoo! Messenger users are in danger of being attacked by a new type of worm spreading via the software.

The user will receive from his friend a message which includes a link pretending to be an image link. However, when the user click this link, his browser will download a dangerous .exe file. If he runs the .exe file, his computer is infected, and the malware, then continues to send malicious links to accounts in the user‘s friend list. Now, the user’s account has become a source to distribute malicious links to other users.

The nature of this attack is nothing new, because some worms already used this way of attack. However, it is always potentially dangerous to unaware users. Bad guys have integrated some phishing elements to trick the user into clicking the link and then opening the downloaded file.

Knowing that IM users often share links between each other, attackers have written malware distributing the fake links as image links. The downloaded .exe file itself is also disguised as an image file.

Bkav has detected this worm as W32.Ymfocard.fam.Botnet. When infecting computers, this worm automatically popups a window to a website, automatically spreads via Yahoo! Messenger. Follows are some behaviors of this malware:

1. Automatically popups page: http://browseusers.myspace.com/Browse/Browse.aspx when virus runs for the first time.

2. Writes key

  • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Firewall Administrating" = "c:\windows\infocard.exe"
  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "Firewall Administrating" = "c:\windows\infocard.exe"

To run virus at Windows startup.

3. Writes key:

  • [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\ StandardProfile\AuthorizedApplications\List] To bypass firewall

4. Copies itself to folder %WinDir% as "infocard.exe"

5. Dumps file %WinDir%\winbrd.jpg

6. Automatically distributes malicious links via YM

  • http://mig[removed]tos.com/image.php
  • http://www.k[removed]nk.com/image.php
  • ............

Yahoo! Messenger users should raise their awareness when receive unknown links, even from their friends, and regularly update the latest version of their AV programs to protect their computers.

Bkis

Leave a Reply

Name (required)
Mail (hidden) (required)
Website
Text to Identify
Reload-Capcha
CAPTCHA Code *

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet

Categories

Store Portlet

Archives

Vote Baby Portlet