Yahoo Worm Attacks Messenger Users After Posing as Image
Yahoo! Messenger (YM) clients beware! A new worm is attacking YM after posing as an attached image.
Users attacked by a new Yahoo! Messenger infection will most likely have an Internet Relay Chat (IRC) botnet already installed on the compromised PC. The new worm uses YM to spread as spam and sends a malicious link (http://[rogue_domain_name]/image.php) to the entire contact list of users logged into YM. Visiting the website will result in a download pop up for a file called 'IMG87654.JPG-www.myspace.com.exe' (the number after 'IMG' may differ).
Computer security experts say the worm has been detected as W32.Ymfocard.fam.Botnet. W32.Ymfocard.fam.Botnet also uses a default image icon displayed as a file to con hapless victims. Once executed on a system, the worm drops a file called 'infocard.exe' in the Windows directory and writes startup registry keys for it under for the following:
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run], [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]
Three other files called mdt.sys, mds.sys and winbrd.jpg are created with 'infocard.exe' and a new value is added to the registry entry [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\ StandardProfile\AuthorizedApplications\List] in order to create an exception in the default Windows firewall.
W32.Ymfocard.fam.Botnet also has the ability to connect to IRC and join a botnet if it is not already installed on the machine. Once active, the worm points the browser to http://browseusers.myspace.com/Browse/Browse.aspx, which appears to be a MySpace resource.
W32.Ymfocard.fam.Botnet spreads at an infection rate of 500 percent per hour beginning over the weekend, according to experts. The virus can install malware, steal files, intercept passwords, and launch various other attacks synonymous to malware. PC users who are infected by W32.Ymfocard.fam.Botnet may also have infected USB drives, which allows the worm to spread after data is shared.
It is highly suggested that you get rid of W32.Ymfocard.fam.Botnet with a good spyware removal tool before it causes you endless problems.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.