PoolSkill.com Blog

Security researchers have identified a new worm spreading across Yahoo’s instant messaging network that has been cloaked under the guise of a “safety” browser in an attempt to dupe users.

First discovered by anti-malware researchers at FaceTime Communications, the worm, labeled as yhoo32.explr, is forwarding itself throughout Yahoo’s IM system via the contact lists of people whose computers it has already been infected. Once loaded onto a PC, the malicious program automatically hijacks the computer’s existing browser home page and encourages users to visit a fraudulent Web site that attempts to load spyware programs onto their devices.

FaceTime researchers said they have observed two versions of the attack, one of which is a stand-alone application with no uninstaller that frequently disguises itself with a faked version of Microsoft’s Internet Explorer logo. The second, self-propagating iteration of the worm, uses an .exe file to spread the infection through the Yahoo Messenger directories.

Yahoo! representatives didn’t immediately return calls seeking comment on the IM virus.

Addition to prompting users to visit the malware-loaded Web site, the virus also plays looped guitar music whenever someone starts up a PC it has infected, or opens the fraudulent safety browser itself. FaceTime researchers said that the attack is the first form of virus they have encountered that installs its own Web browser on a PC without the user’s permission.

The Santa Claus worm doesn’t care whether you’ve been naughty or nice, but it’s making a list of PCs to infect this holiday season, according to a threat alert released by security firm IMlogic today.

A new instant-messaging worm called IM.GiftCom.All is making the rounds this holiday season. Rated as a “medium” threat by IMlogic, the worm attempts to get users of the instant-messaging networks run by America Online, Yahoo, and Microsoft to visit a seemingly festive Web site featuring Santa Claus.

The message comes from someone already present on a user’s “buddy list,” said Art Gilliland, vice president of products for IMlogic. It contains a supposed link to a URL (uniform resource locator) starting with “santaclause.aol.com/a?|”

However, clicking on that link takes users to a different Web site and triggers the download of a malicious file to a user’s PC, Gilliland said. That file is created using rootkit techniques, making it extremely difficult to detect with conventional antivirus or operating system tools, he said. Once resident on a system, the file tries to shut down antivirus software and collects personal information that can be redistributed over the Internet.

IMlogic has not recorded an instance where that personal information was actually sent out to the Internet, but the program does log information, Gilliland said.

Don’t Click!

Users are advised to avoid clicking on anything sent through an instant-messaging system unless they have verified that the file or picture is legitimate and the sender intended to pass it along, Gilliland said. IMlogic recently identified an instant-messaging bot that produces canned assurances that a file is legitimate when the recipient replies to check its authenticity, so it’s important to take extra care to verify the sender’s intentions, he said.