New Yahoo! IM Worm Emerges


http://www.techtree.com/techtree/jsp/article.jsp?article_id=73368&cat_id=643





New Yahoo! IM Worm Emerges
Techtree News Staff Email Print
May 23, 2006


This time it's the Yahoo! Instant Messenger (IM) users who are under
threat from a new worm that installs a rogue Web browser called "Safety
Browser," and hijacks the user's Internet Explorer homepage.

Researchers from FaceTime Security Labs, a seller of instant messaging
security products, who first identified the threat, have dubbed this
first-of-its-kind worm as "yhoo32.explr" that was found on the Yahoo!
IM network about two weeks ago.

According to the researchers, this is the first recorded incidence of
malware installing its own Web browser on a PC, without the user's
permission. The worm drops the "Safety Browser" on the user's PC. The
Safety Browser uses the same icon as Microsoft's IE Web browser, and
when opened, takes users to a special home page called Demoplanet that
installs spyware on the PC. The icon randomly changes to the Internet
Explorer icon, and also urges the user to click on a series of
advertisements to further fool users, which in turn installs more
spyware and adware on their PCs.

Tyler Wells, senior director - research, FaceTime Security Labs, said
the new threat arrives as a link in a message box on the user's PC.
After someone clicks the link, at least one warning will be displayed
to tell the user that software is about to be downloaded or installed
and that this may be malicious.

FaceTime has issued an alert saying that the self-propagating new worm
spreads the infection to Yahoo! Messenger contacts on the infected PC,
by sending a nefarious Website link during a conversation. The link
leads to a Website that loads a command file onto the user s PC, and
installs Safety Browser. This spam over IM is called "spim". IM
applications and protocols are increasingly popular vector to
distribute malicious files and executables.

The threat was discovered by FaceTime Security Labs in a "honeypot," a
term used to describe a trap to detect viruses, worms, spyware, and
other threats.

.

Relevant Pages

  • Re: Worm produces false Google SERPs
    ... > Roy Schestowitz wrote: ... >> It only comes to show how fragile the browser is. ... part of the problem (for willingly giving the worm a 'home'). ...
    (alt.internet.search-engines)
  • WMF Threat OK , but no huge attack ... WHY ?
    ... The threat was a bit overrated, ... Vulnerabilities like ... this are unlikely to become a worm with the widespread ... helping any customer with any infection problems, ...
    (Incidents)
  • Apple Virus - Be Warned !
    ... Malicious worm aims to bite Apple ... Mac users are being warned about what has been described as one of the first ... Installing and running the worm requires users to go through several stages ... down the threat it poses. ...
    (microsoft.public.macintosh.general)
  • Re: Weird URLs that work, can you say IPvOctal?
    ... which everyone uses to convert the string ... There's pretty a similar threat as is posed by escaped characters in URLs ... Frankly though, other than filtering software, I don't see much threat. ... >this propose any serious threat to your browser, ...
    (Focus-Microsoft)
  • Re: Worm produces false Google SERPs
    ... any of the articles in depth, I can imagine that a good kernel would never allow this. ... However, earlier in the article it is explained, that the modification of the browser is achieved by deceiving users into installing a small program they believe is a free Star Wars game... ... And the fact that Adsense money is so big now, that it can in itself be the motive of creating a worm or a virus. ... It should be extremely easy to crack down on all the firms/advertisers who benefit from the worm by getting their Adwords ads on top of the SERPs. ...
    (alt.internet.search-engines)