Worm on Yahoo! Messenger
The India research arm of FaceTime Security Labs discovered the threat in a 'honeypot', reports CR Jayachandran.india Updated: May 22, 2006 14:48 IST
All those who are logged on to Yahoo! Messenger beware.
Research experts at a leading US-based security solutions have confirmed that a self-propagating worm, named yhoo32.explr, installs 'Safety Browser' and hijacks the Internet Explorer homepage, leading users to a site that puts spyware on their PCs.
FaceTime Security Labs researchers identified and reported the new threat affecting Yahoo! Messenger.
According to officials of the security firm, the India research arm of FaceTime Security Labs discovered the threat in a 'honeypot', a trap they set to detect viruses, worms, spyware and other threats.
Because Safety Browser uses the IE icon, users can easily mistake it for Internet Explorer. This is the first recorded incidence of malware installing its own web browser on a PC without the user's permission.
|Threat name: yhoo32.explr|
|Threat type: Browserware and worm|
|Who is affected: Yahoo! Messenger users|
"This is one of oddest and more insidious pieces of malware we have encountered in years," commented Tyler Wells, Senior Director of Research at FaceTime Security Labs.
The self-propagating worm spreads the infection to all contacts in Yahoo! Messenger by sending a website link that loads a command file onto the user's PC and installs Safety Browser, they warned.
This spam over instant messaging (IM) is called spim. IM applications and protocols are an increasingly popular vector to distribute malicious files and executables.
"This is the first instance of a complete web browser hijack without the user's awareness. Similar 'rogue' browsers, such as 'Yapbrowser', have demonstrated the potential for serious damage by directing end-users to potentially illegal or illicit material. 'Rogue' browsers seem to be the hot new thing among hackers," Wells said.
How the Trojan works
The malware infects the PC with two elements. The first element is a web browser called "Safety Browser." This stand-alone application has no uninstaller and disguises itself with an Internet Explorer logo in some instances. The application also hijacks the personal homepage in Internet Explorer and points users to Safety Browser's homepage (demoplanet.tv). The hijack also plays looped music that cannot be stopped when the user starts up the PC or Safety Browser. The second element is the self-propagating worm. This worm installs an .exe file that spreads the infection through Yahoo Messenger to everyone on the Contacts List.