New worm spreading via Yahoo Messenger
12:01:00 | 04-05-2010

Yahoo! Messenger users are in danger of being attacked by a new type of worm spreading via the software.

The user will receive from his friend a message which includes a link pretending to be an image link. However, when the user clicks this link, his browser will download a dangerous .exe? file. If he runs the .exe file, his computer is infected, and the malware, then continues to send malicious links to accounts in the user's friend list. Now, the user's account has become a source to distribute malicious links to other users.

The nature of this attack is nothing new, because some worms already used this way of attack. However, it is always potentially dangerous to unaware users. Bad guys have integrated some phishing elements to trick the user into clicking the link and then opening the downloaded file.

Knowing that IM users often share links between each other, attackers have written malware distributing the fake links as image links. The downloaded .exe file itself is also disguised as an image file.

Bkav has detected this worm as W32.Ymfocard.fam.Botnet. When infecting computers, this worm automatically popups a window to a website, automatically spreads via Yahoo! Messenger. Follows are some behaviors of this malware:

1. Automatically popups page: when virus runs for the first time.

2. Writes key

Administrating? = ?c:windowsinfocard.exe?

Administrating? = ?c:windowsinfocard.exe?

To run virus at Windows startup.

3. Writes key:

FirewallPolicy StandardProfileAuthorizedApplicationsList] to
bypass firewall

4. Copies itself to folder %WinDir% as ?infocard.exe?

5. Dumps file %WinDir%winbrd.jpg

6. Automatically distributes malicious links via YM



- ..................

Yahoo! Messenger users should raise their awareness when receive unknown links, even from their friends, and regularly update the latest version of their AV programs to protect their computers.