>

November 08, 2006

Yahoo Messenger Virus Detected

Well, It's been official now that some virus have targeted the Yahoo messenger this time. Yahoo messenger this time has been affected by some virus . And this virus is sending the text message to all IM clients.
Type rest of the post here

The possible reason/ detection found by the Abhishek is given here.
Conclusions (Confirmed)
1. It uses msinet.ocx and web browser control for communicating with websites or downloading more file.
2. It begins by adding an unusual taskkil.exe in your System32 directory, which is a program to kill System Processes.
3. Creates a batch script located at C:\killav.bat to kill antiviruses.
4. It accesses XXX, where the developer may enter commands for the application to update itselves.
5. It then begins access to XXXX, which shows adbrite ads when opened in Firefox, maybe there is an autoclicking feature encoded.
6. It downloads the executable from YYY which it then renames to svchost32.exe
7. It also downloads the executable at YYYY

The developer seems to want this trojan to be termed “Termex” since he owns the domain Mytermex(dot)com (Donot Visit this Site) and has directories named “Termex” on the server where he hosts his Executables!

The code is no doubt a good one, but I’d have preferred if he must’ve used this knowledge for good. Now apparently this doesn’t seem to affect FireFox/Mozilla and Opera Browsers (Note the apparently) but IE users are doomed.

I am Infected! Now what ?
Don’t Panic Tech Guru has written a nice tutorial to save yourself from this Trojan, I haven’t tried it yet, but from the look of it ,it appears that it’ll work. So go ahead and find it here
http://www.newsfactor.com/blog_article.php?aid=305161

How does this spread ?
I am not aware of the other mediums but yes, I mselves have witnessed this propogating through Yahoo Messenger, and there is a possibility that it may send your Yahoo ID/Password to the attacker.
Possible PMs that you may get are

Quote:damn, she is so cute hxxp://nsl-school.org?id=miss_world (Donot Open this URL in your Browser)

[php]have you ever seen such a silly man like this ? hxxp://nsl-school.org?id=stories[/php] (Donot Open this URL in your Browser)

Quote:Download Free MP3s at hxxp://nsl-school.org?id=mp3 (Donot Open this URL in your Browser)

These Message are generally very tempting and make you click on the link, but once you do, You’re doomed!

!!!WARNING DONOT OPEN THE URLS BELOW IN YOUR BROWSER OR YOU MAY GET INFECTED!!!
XXX = hxxp://giftshop.vn/update.txt
XXXX = hxxp://www.myglobal-news.com
YYY = hxxp://italiandirectory.com/termex/host2.exe
YYYY = hxxp://italiandirectory.com/termex/host.exe

Possible Domains Owned by the Developer of this Trojan
hxxp://www.nsl-school.org
hxxp://www.giftshop.vn
hxxp://www.myglobal-news.com
hxxp://www.italiandirectory.com


comments:

Anonymous said...
9:56 AM GMT+5:30
 

Hello Mate,
I'd prefer if you link to the exact article on my site!

Abhishek

Related Post