VirusTotal - Malware Yahlover Disseminates Through Yahoo Messenger
VirusTotal, a free service provider for online scan of viruses and other malware, has included Worm Yahlover, which proliferates via Yahoo Messenger, among the ten most prevalent malicious e-threats on July 6, 2009.
Variants of Yahlover worm try to proliferate through an IM (Instant Messaging) e-mail client like Windows Messenger, AIM or Yahoo! Messenger running on an infected system. They typically send e-mail to friends having a web-link, which points towards a harmful page that tries to exploit the MS06-014 security flaw so that it can plant itself on the affected systems, security researchers stated.
Moreover, once executed, Yahlover creates two replicas of itself in the %Systems% or %Windows% directories naming the new files as svchost.exe and svchost32.exe. Subsequently, the worm changes the registry so that it becomes active every time Windows is started.
When that happens, a pop-up window repeatedly emerges in short intervals displaying the malicious web page link.
The worm also proliferates via Autorun.ini files loaded through removable devices so that it gets mechanically executed on computers that have their 'Autorun' enabled.
Nevertheless, having being spotted numerous times, a detailed analysis is necessary of two versions of Yahlover that are W32/Yahlover.worm and W32/Yahlover.worm.gen.d.
Commenting on this point, researchers of computer security said that cyber criminals like spammers were getting increasingly creative in their malevolent campaigns. Hence, it was extremely vital that computer users installed reliable antivirus software for warding off infections like Yahlover. It was also important that users turned on a PC firewall and installed the most recent computer updates. Furthermore, users needed to be cautious while handling file transfers and e-mail attachments, the researchers advised.
Meanwhile, the security specialists stated that the Yahlover worm had also been circulating in the later months of 2008 in Thailand and Vietnam. There it carried out several operations to disable security products as well as deactivated tools used for system configuration. Additionally, the worm was programmed to collapse any folder option displays along with registry tools and task manager, the specialists added.
» SPAMfighter News - 31-07-2009