Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 3rd, 2010

Yahoo! Messenger Users Infected By New Worm, Form An IRC Botnet

A new worm is quickly spreading on Yahoo! Messenger (YM) via Web links to fake images. Users who fall victim to this threat have an IRC botnet client installed on their computers.

According to security researchers from Vietnam-based antivirus vendor Bkis, who analyzed the new worm, it spreads though YM spam. The malware sends out malicious links of the form http://[rogue_domain_name]/image.php to the entire contact list of any user logged into YM on an infected computer.

Visiting the spammed websites results in a download prompt for an executable file deceptively called (the number after IMG can differ). A different social engineering trick used in this attack is the default image icon being displayed for file.

Once executed on a system, the worm installer drops a file called infocard.exe in the Windows directory and writes startup registry keys for it under [HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun], [HKCUSoftwareMicrosoftWindowsCurrentVersionRun] and [HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]. Three other files called mdt.sys, mds.sys and winbrd.jpg are created alongside infocard.exe and a new value is added to [HKLMSYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicy StandardProfileAuthorizedApplicationsList] in order to create an exception in the default Windows firewall.

An automated ThreatExpert analysis of the worm performed earlier today reveals that its payload involves connecting to IRC and joining a botnet. On first run, the worm points the browser to, which appears to be a legit MySpace resource.

“The nature of this attack is nothing new, because some worms already used this way of attack. However, it is always potentially dangerous to unaware users […] Yahoo! Messenger users should raise their awareness when receiving unknown links, even from their friends, and regularly update the latest version of their AV programs to protect their computers,” advises Bkis, whose BKAV antivirus product detects this threat as W32.Ymfocard.fam.Botnet. Another alias for it appears to be Mal/Rimecud-D, according to Sophos.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Advanced Social Engineering Worm Infects Yahoo! Messenger And Skype Users
  • Unpatched Yahoo! Messenger Flaw Allows Status Updates Remote Hijacking
  • Yahoo! Groups Are Used By Phishers To Send Personalized Scam Emails
  • China Warns About Return Of Destructive Panda Virus
  • Spam Volumes Increase Again, Soon To Be Powered By At Least 10 Millions Of Infected Conficker Bots

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Yahoo! Messenger Users Infected By New Worm, Form An IRC Botnet

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.