English | VietNam
Home
About Us
Press Center
Products
Customers
Security Blog
Bkav Forum
Contact Us
Buy Online
Downloads
For Enterprises
Buy Online
Supports
Top News
New worm spreading via Yahoo! Messenger
01:01:16, 04/05/2010

Yahoo! Messenger users are in danger of being attacked by a new type of worm spreading via the software.

The user will receive from his friend a message which includes a link pretending to be an image link. However, when the user clicks this link, his browser will download a dangerous?.exe?file. If he runs the?.exe?file, his computer is infected, and the malware, then continues to send malicious links to accounts in the user's friend list. Now, the user's account has become a source to distribute malicious links to other users.

The nature of this attack is nothing new, because some worms already used this way of attack. However, it is always potentially dangerous to unaware users. Bad guys have integrated some phishing elements to trick the user into clicking the link and then opening the downloaded file.

Knowing that IM users often share links between each other, attackers have written malware distributing the fake links as image links. The downloaded .exe file itself is also disguised as an image file.

Bkav has detected this worm as W32.Ymfocard.fam.Botnet. When infecting computers, this worm automatically popups a window to a website, automatically spreads via Yahoo! Messenger. Follows are some behaviors of this malware:

1. Automatically popups page:http://browseusers.myspace.com/Browse/Browse.aspx?when virus runs for the first time.

2. Writes key

??? [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]??Firewall
Administrating? = ?c:\windows\infocard.exe?

??? [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]??Firewall
Administrating? = ?c:\windows\infocard.exe?

To run virus at Windows startup.

3. Writes key:

??? [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
\FirewallPolicy\ StandardProfile\AuthorizedApplications\List] to
bypass firewall

4. Copies itself to folder %WinDir% as ?infocard.exe?

5. Dumps file %WinDir%\winbrd.jpg

6. Automatically distributes malicious links via YM

??? http://mig[removed]tos.com/image.php

??? http://www.k[removed]nk.com/image.php

??? ????

Yahoo! Messenger users should raise their awareness when receive unknown links, even from their friends, and regularly update the latest version of their AV programs to protect their computers.

Bkis
[Back]
  Other news:
    		• Warning of data “missing” on virus removal
    		• Bkav: Want the world to know who we are
    		• Data of more than 85,000 computers in Vietnam has been stolen
    		• How to defend against cyber attacks
    		• “We are underestimating cyber warfare”
    		• Safe Run Technology and Bkav 2011
    		• How your Yahoo! Accounts are stolen
    		• Bkav 2011 launching ceremony
    		• Official Launch of Bkav 2011 using Safe Run Technology
    		• 7,500 computers in Vietnam infected with “express” virus
     Other news  
        
     News in focus
    Bkav: Want the world to know who we are
    Data of more than 85,000 computers in Vietnam has been stolen
    “We are underestimating cyber warfare”
    Safe Run Technology and Bkav 2011
    How your Yahoo! Accounts are stolen
    Bkav 2011 launching ceremony
    7,500 computers in Vietnam infected with “express” virus
    Bkav Enterprise deployed at Daewoo Hotel
    The definition of “filthy attack” does not exist
    Drop virus, swindle unlicensed Windows users for money
    Read more >>

      © 2010 Bkis - Internet Security
      Hitech Building, 1A Dai Co Viet Str., Hai Ba Trung Dist., Ha Noi, Vietnam  * Contact us
    © Please specify "source: Bkis" when using any information from this website.