Yahoo! IM Worm

Whenever you see a title like that, you know there’s a virus goin’ around. This week’s exploit is a self-propagating worm that affects those of us who enjoy Yahoo’s Instant Messenger service.

This worm was discovered in late May by Face Time Security Labs. They were using a “Honey Pot,” which is an industry trick to attempt to ensnare attackers by using an unsecured un-updated PC to bait the trap. The IM worm named yahoo32.explr is very unusual in its method of attachment, which unknowingly to you, installs an entirely different Web browser on your system that masquerades as Internet Explorer.

That’s right, and according to Face Time’s Tyler Wells, the Senior Director of Research, “This is the first instance of a complete Web browser hijack without the user’s awareness. Similar ‘rogue’ browsers, such as ‘Yapbrowser,’ have demonstrated the potential for serious damage by directing end users to potentially illegal or illicit material. ‘Rogue’ browsers seem to be the hot new thing among hackers.”

The yhoo32.explr is made up of a couple of different components that help it to complete its mission, so to say. First of all, the worm will attempt to install something called “Safety Browser.” It is a malware Web browser similar to Internet Explorer. Similar by design, this Safety Browser uses IE icons so one may think they are opening IE, when in fact, they are opening Safety Browser. And, of course, you can count of this imposter browser to do what? That’s right, direct us to more malicious laden sites. Oh, it doesn’t stop there. We’re just getting started.

The yhoo32.explr will also hijack or change the homepage of your Internet Explorer to Safety Browser’s. It will start looping horrible music from the moment it’s installed and every moment after (SP2 not affected). It will even change your popup settings to make sure all the trash gets in.

The worm itself populates by sending out copies of the Safe Browser file to all the entrees found in your Yahoo IM contacts list. The malware can actually contact a URL and have commands sent to it to send itself out with different messages. Sometimes, it will even change the body of a message when you send it.

This is a very nasty piece of malware that doesn’t seem to have any recommended uninstall procedures as of yet. Your best bet is to, of course, keep up with all your antivirus updates. Make sure you have a firewall in place and don’t download anything or link out to any Web sites in your Yahoo IM. If there is something that you must get from one of your IM contacts, double check that you are getting the right message, or the war could be over. Until next week, stay away from those IM links and downloads, and you should be safe.

~ Chad Stelnicki