Attacks/Breaches
5/3/2010
05:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New IM Worm Spreading Fast

Aggressive new variant of an older worm circulating around Yahoo Messenger lets attacker take over a victim's machine

A smiley-faced instant message with a photo link posing as if it's from someone on your buddy list is actually spreading misery worldwide in the form of a worm on Yahoo Instant Messenger: The IM ultimately delivers a worm that allows an attacker to take over the victim's machine, not to mention spread itself among the victim's contact list.

Researchers at BitDefender, BKIS, and Symantec today each separately warned Yahoo Messenger users about the worm attack, which is rapidly growing. Catalin Coisoi, senior malware and virus researcher for BitDefender, based in Romania, says his team has seen infection rates as high as 500 percent per hour in his home country since they first spotted it last week. "Today it started spreading like wildfire," Coisoi says.

He says the socially engineered message appears to be capitalizing on the May 1 national holiday in Romania. "People expect to see pictures [from their friends and colleagues] after a national holiday," he says. But he also expects the worm to make inroads in the U.S. today and tomorrow, with potential victims coming off of a weekend.

The worm -- known as Palevo by BitDefender, W32.Ymfocard.fam.Botnet by BKIS, and W32.Yimfoca by Symantec -- is a new variant of an existing worm. In the Yahoo IM attack, it tricks the user into saving what appears to be a JPG or GIF file, but instead is a malicious executable.

BitDefender says the worm contains a backdoor, which lets an attacker take over the victim's compromised machine, to install more malware, steal files, intercept passwords, and launch spam or other malware attacks on other systems. It's also spreading the way the infamous Conficker worm has done, via network shares and removable USB drives using the Autorun feature. When an infected memory stick gets loaded into a machine with Autorun enabled or unprotected, the machine can automatically be infected with the worm.

"You can do anything you want with a backdoor -- keylogging to search for passwords, or it could be a botnet," Coisoi says. "It offers the attacker full system access."

It also spreads via peer-to-peer sharing sites, such as Kazaa and LimeWire.

The good news: Because it drops an .exe file, it requires the user to run it for it to go live. According to Symantec, once the worm is run, it adds itself to the Windows Firewall list, stops the Windows Update service, and configures itself such that it runs each time the system boots. The worm automatically sends itself to everyone on the victim's contact list.

"The nature of this attack is nothing new, because some worms already used this way of attack," BKIS researchers blogged. "However, it is always potentially dangerous to [unaware] users. Bad guys have integrated some phishing elements to trick [the] user into clicking the link and then opening the downloaded file."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.