14 DAY TRIAL // Update: BitDefender has released a free removal tool for this new threat, which it detects as Worm.P2P.Palevo.DP. Other stand-alone anti-malware utilities that can detect and remove this worm are Kaspersky's Virus Removal Tool 2010 and Malwarebytes' Anti-Malware.
A new worm is quickly spreading on Yahoo! Messenger (YM) via Web links to fake images. Users who fall victim to this threat have an IRC botnet client installed on their computers.
According to security researchers from Vietnam-based antivirus vendor Bkis, who analyzed the new worm, it spreads though YM spam. The malware sends out malicious links of the form http://[rogue_domain_name]/image.php to the entire contact list of any user logged into YM on an infected computer.
Visiting the spammed websites results in a download prompt for an executable file deceptively called IMG87654.JPG-www.myspace.com.exe (the number after IMG can differ). A different social engineering trick used in this attack is the default image icon being displayed for file.
Once executed on a system, the worm installer drops a file called infocard.exe in the Windows directory and writes startup registry keys for it under [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run], [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] and [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]. Three other files called mdt.sys, mds.sys and winbrd.jpg are created alongside infocard.exe and a new value is added to [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\ StandardProfile\AuthorizedApplications\List] in order to create an exception in the default Windows firewall.
An automated ThreatExpert analysis of the worm performed earlier today reveals that its payload involves connecting to IRC and joining a botnet. On first run, the worm points the browser to http://browseusers.myspace.com/Browse/Browse.aspx, which appears to be a legit MySpace resource.
"The nature of this attack is nothing new, because some worms already used this way of attack. However, it is always potentially dangerous to unaware users […] Yahoo! Messenger users should raise their awareness when receiving unknown links, even from their friends, and regularly update the latest version of their AV programs to protect their computers," advises Bkis, whose BKAV antivirus product detects this threat as W32.Ymfocard.fam.Botnet. Another alias for it appears to be Mal/Rimecud-D, according to Sophos.
