We have recently learned about the existence of a new Yahoo! Messenger worm doing the rounds. Potential victims receive instant messages from contacts in their list, containing a link claiming to be a photo, which in reality points to a malicious executable.
The page at the end of the link is basic and does not employ any exploits in order to install the worm, it relies solely on social engineering to trick victims into believing they are opening a picture from a friend, while in fact they run the worm.
When the link is clicked, the default browser is redirected to the worm executable, which has a misleading name. Please note the file extension is actually “.exe”. In order to run, the worm still needs the user’s action to open/run the file.
Once run, the worm copies itself to %WinDir%\infocard.exe, then it adds itself to the Windows Firewall List, stops the Windows Updates service and sets the following registry value so that it runs every time the system boots:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\“Firewall Administrating” = “%WinDir%\infocard.exe”
Then it looks for the Yahoo! Messenger application on the system, and sends out links to the worm to everyone in the contact list. It may also download and execute other malicious files.
When run the first time, the worm will open a new page to the following address, so some photos eventually appear to the user, in order to mask the infection:
Symantec detects and remediates this threat as W32.Yimfoca.
We recommend Yahoo! Messenger users to be especially careful with what types of files they are opening, and be cautious with links received even from well known and trusted contacts. Many times becoming a victim can be avoided just by asking the contact who sent the link whether it’s real or not.