Security researchers at Symantec and BKIS report worms hitting users of Yahoo Messenger and Skype via malicious instant messages.
Security researchers have reported a new wave of attacks targeting users
of Yahoo Messenger and Skype.
(Bach Khoa Internetwork Security) researchers May 7
said the attack comes
via messages such as, "Does my new hairstyle look good? bad? perfect?"
and "My printer is about to be thrown through a window if this pic won't
come our right. You see anything wrong with it?" The messages contain
"The users are more easily tricked into clicking the link by these
messages, because users tend to think that 'their friend(s)' are asking for
[advice]," said the BKIS blog post. "Moreover, the URL shows a .jpg
file to users, reinforcing the users' thought of an image file."
BKIS' discovery follows the appearance of another worm targeting Yahoo
Messenger that was reported earlier this week.
"The page at the end of the link is basic and does not employ any
exploits in order to install the worm, it relies solely social
engineering to trick victims
into believing they are opening a picture from
a friend, while in fact they run the worm," explained
Symantec researcher Mircea Ciubotariu
Once executed, "the worm copies itself to %WinDir%\infocard.exe, then
it adds itself to the Windows Firewall List, blocks the Windows Updates service
and sets the following registry value so that it runs whenever the system
Administrating" = "%WinDir%\infocard.exe," Ciubotariu wrote.
With that done, the worm then blasts itself out to everyone on the victim's
Yahoo Messenger contact list, and may also download and execute
other malicious files.
According to BKIS, the other worm has "more complicated functions."
Among other things, it "automatically sends messages with different
contents containing malicious URLs to user names in [the] Skype [or] Yahoo
Messenger friend list of the user" and "uses rootkit technique to
hide its files and processes." The malware also "blocks operations of
antivirus software" and "copies itself along with file Autorun.inf
into USB drives to spread."
"Once again, we would recommend [that] IM users ... be careful before
clicking any links received, even from your friends or relatives," BKIS
said. Also, "Users should regularly update their antivirus [software]
on their computers."