New Yahoo! Messenger Worm Makes the Rounds, Hits Skype Too
A few days ago we were reporting that a worm is spreading via Yahoo! Messenger. The user would receive an instant message that contained a link to what seemed to be a photo. When the user clicked the link he was directed to a webpage – and on that webpage he would be asked to download what seemed to be an image, but was in fact an executable. That executable was a very dangerous worm that created folders in the Windows foldery, modified registry keys, disabled the operating system’s firewall, and could potentially allow someone with malicious intent to take over the compromised machine.
BitDefender says it is a variant of the Palevo worm. Symantec detects the worm as W32.Yimfoca. Security firm Bkis detects the worm as W32.Ymfocard.fam.Botnet.
According to Bkis there is now a newer and more sophisticated version of this worm making the rounds online. The worm targets Yahoo! Messenger users as usual. The news is that it also targets Skype users. The worm is detected by Bkis as W32.Skyhoo.Worm
Just like before, the worm sends messages to Yahoo! Messenger and Skype users; these messages contain malicious links to what seems to be an image (it is not!). To fool the user into thinking the message is genuine, the text that accompanies the link is changed.
“Each time spreading, the messages sent by the Worm have different contents, for example, “Does my new hair style look good? bad? perfect?“, “My printer is about to be thrown through a window if this pic won’t come our right. You see anything wrong with it?“… The users are more easily tricked into clicking the link by these messages, because users tend to think that “their friend(s)” are asking for advices. Moreover, the URL shows a .JPG file to users, reinforcing the users’ thought of an image file,” explained Bkis.
If a Skype or Yahoo! Messenger user clicks the link, he is sent to a site that resembles RapidShare. He will then be asked to download a .zip file that supposedly contains an image. The archive in fact contains an executable file – a worm.
Bkis explains what the worm does once it makes its way onto a user’s computer:
The warning issued by Thyaga Vasudevan, Product Manager on the Yahoo! Messenger team, stands: do not click suspicious links and do not download executable files sent via Yahoo! Messenger.
BitDefender says it is a variant of the Palevo worm. Symantec detects the worm as W32.Yimfoca. Security firm Bkis detects the worm as W32.Ymfocard.fam.Botnet.
According to Bkis there is now a newer and more sophisticated version of this worm making the rounds online. The worm targets Yahoo! Messenger users as usual. The news is that it also targets Skype users. The worm is detected by Bkis as W32.Skyhoo.Worm
Just like before, the worm sends messages to Yahoo! Messenger and Skype users; these messages contain malicious links to what seems to be an image (it is not!). To fool the user into thinking the message is genuine, the text that accompanies the link is changed.
“Each time spreading, the messages sent by the Worm have different contents, for example, “Does my new hair style look good? bad? perfect?“, “My printer is about to be thrown through a window if this pic won’t come our right. You see anything wrong with it?“… The users are more easily tricked into clicking the link by these messages, because users tend to think that “their friend(s)” are asking for advices. Moreover, the URL shows a .JPG file to users, reinforcing the users’ thought of an image file,” explained Bkis.
If a Skype or Yahoo! Messenger user clicks the link, he is sent to a site that resembles RapidShare. He will then be asked to download a .zip file that supposedly contains an image. The archive in fact contains an executable file – a worm.
Bkis explains what the worm does once it makes its way onto a user’s computer:
- Automatically exits if the victim’s computer is not installed with Skype or Yahoo! Messenger.
- Automatically sends messages with different contents containing malicious URLs to user names in Skype/Yahoo! Messenger friend list of the user
- Automatically injects malicious link in to Word, Excel files or email that being composed.
- Connects to IRC server to receive commands from hacker
- Blocks operations of antivirus software
- Anti virtual machine and sandbox
- Uses rootkit technique to hide its files and processes
- Prevents users from accessing more than 700 websites of security or antivirus
- Automatically copies itself along with file Autorun.inf into USB drives to spread
The warning issued by Thyaga Vasudevan, Product Manager on the Yahoo! Messenger team, stands: do not click suspicious links and do not download executable files sent via Yahoo! Messenger.
