Top new - Bkav Corporation

Do your best, the rest will come !

New worm spreading via Yahoo Messenger

12:01:00 | 04-05-2010

Yahoo! Messenger users are in danger of being attacked by a new type of worm spreading via the software.

The user will receive from his friend a message which includes a link pretending to be an image link. However, when the user clicks this link, his browser will download a dangerous .exe? file. If he runs the .exe file, his computer is infected, and the malware, then continues to send malicious links to accounts in the user's friend list. Now, the user's account has become a source to distribute malicious links to other users.

The nature of this attack is nothing new, because some worms already used this way of attack. However, it is always potentially dangerous to unaware users. Bad guys have integrated some phishing elements to trick the user into clicking the link and then opening the downloaded file.

Knowing that IM users often share links between each other, attackers have written malware distributing the fake links as image links. The downloaded .exe file itself is also disguised as an image file.

Bkav has detected this worm as W32.Ymfocard.fam.Botnet. When infecting computers, this worm automatically popups a window to a website, automatically spreads via Yahoo! Messenger. Follows are some behaviors of this malware:

1. Automatically popups page: http://browseusers.myspace.com/Browse/Browse.aspx when virus runs for the first time.

2. Writes key

- [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]??Firewall
Administrating? = ?c:windowsinfocard.exe?

- [HKCUSoftwareMicrosoftWindowsCurrentVersionRun]??Firewall
Administrating? = ?c:windowsinfocard.exe?

To run virus at Windows startup.

3. Writes key:

- [HKLMSYSTEMControlSet001ServicesSharedAccessParameters
FirewallPolicy StandardProfileAuthorizedApplicationsList] to
bypass firewall

4. Copies itself to folder %WinDir% as ?infocard.exe?

5. Dumps file %WinDir%winbrd.jpg

6. Automatically distributes malicious links via YM

- http://mig[removed]tos.com/image.php

- http://www.k[removed]nk.com/image.php

- ..................

Yahoo! Messenger users should raise their awareness when receive unknown links, even from their friends, and regularly update the latest version of their AV programs to protect their computers.

Bkav

Others

The DEEP#GOSU virus campaign takes advantage of Google Docs and Dropbox to attack Windows users

LockBit ransomware virus attacks Windows Domain servers in Vietnam

5 million websites are at risk because of vulnerabilities in WordPress' LiteSpeed

Warning: using AI to create fake images and voices to scam money

Bug in Microsoft Outlook allows hackers to steal information and take control of devices

OPSWAT and Bkav signed a strategic partnership

Summary of cybersecurity in 2023 and forecast for 2024

Warning: Many Elknot virus variants appear targeting Vietnamese Linux servers

Bkav launches Bkav Pro 2024 with the orientation of expanding the global market

Applications impersonating government agencies to spread viruses on Android are highly active in Vietnam