14 DAY TRIAL // Security researchers from Symantec warn that a new worm spreading via instant messaging applications is capable of targeting users in twenty different languages.
The code of the worm, which is detected as W32.Yimfoca.B, contains a routine that checks for the location of the user and sends spam in the appropriate language.
If the location scan result is not on a hardcoded list of 44 countries, the malware falls back to English messages, which can read “seen this? [link]” or “this is the funniest photo ever! [link].”
In addition to spreading by spam through Google Talk, ICQ, MSN Messenger, Paltalk, Skype, Xfire or Yahoo! Messenger, the worm also infects removable USB drives inserted into the computer.
“When W32.Yimfoca.B infects these drives, it hides existing folders found on the removable drive, setting their attributes to ‘system’ and ‘hidden’, and replacing them with a shortcut link to a copy of the worm,” Symantec’s Stephen Doherty notes.
“The shortcut icon will be that of a folder, so a user may be fooled into thinking this is in fact the original folder,” the researcher explains.
The malware installs itself under Application Data as a file named jutched.exe, a slight name variation from jusched.exe, the legit Java Update scheduler component.
In fact, Yimfoca.B even creates a startup key under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ called “Java Update Manager”.
The worm is used as a distribution platform for other malware, possibly as part of a pay-per-install scheme, so users who fall victim to the IM social engineering attacks, will probably have multiple malware infections on their computer.
The most interesting aspect of this threat is the localization component, which clearly suggests an attempt by its creator to reach as many users as possible and increase the pool of potential victims.
We’ve also seen the same technique used in Facebook and Twitter scams earlier this year. Just last month, compromised Facebook accounts were used to direct Croatian users to a malicious Java applet.