IM worm installs 'safe' Web browser

By Joris Evers
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

Related Stories: New worm targets Apple chat users
February 16, 2006; Study: Instant-messaging attacks rose in 2005
January 10, 2006; Santa IM worm hits AOL, MSN and Yahoo
December 20, 2005; New IM worm chats with intended victims
December 6, 2005

A new instant messaging worm installs a rogue Web browser called "Safety Browser" and hijacks the user's Internet Explorer home page, experts have warned.

The worm, dubbed "yhoo32.explr" by FaceTime Security Labs, was found two weeks ago on the Yahoo instant messaging network and was still active as of Friday, Tyler Wells, senior director of research at FaceTime, a seller of instant messaging security products, said in an interview.

The worm drops the "Safety Browser" on the target's machine. The rogue browser uses the same icon as Microsoft's IE Web browser and, when opened, takes users to a site that installs spyware on the PC, FaceTime said. "This is the first recorded incidence of malware installing its own Web browser on a PC," the company said in a statement.

The pest also sets the victim's IE home page to Safety Browser's Web site and plays looped music that cannot be stopped, FaceTime said. Additionally, when installed the worm sends itself to all of the infected user's contacts, the security company said.

The new threat arrives as a link in a message box on the target's PC. The link may also say "Goat_Ensem Bot" with a smiley. After someone clicks the link, at least one warning will be displayed to tell the user that software is about to be downloaded or installed and that this may be malicious, Wells said.

Researchers at Foster City, Calif.-based FaceTime discovered the pest after it hit on one of their test machines. These PCs are connected to instant messaging networks and typically logged in to chat rooms, which often are the starting point for new IM worms.

IM users can protect themselves against this and many other IM threats by not clicking unexpected or unsolicited links.

See more CNET content tagged:
FaceTime Communications, worm, IM, Yahoo! Inc., Web browser

Add a Comment (Log in or register) 16 comments

IM Worm
by Roman12 May 22, 2006 9:15 PM PDT: It should be very effective if it does in fact sends it self to the victim?s contacts, average computer users know little about worms and spyware. Another good example which demonstrates the need for reliable anti-spyware software and making people aware. As well as discontinue using the old IE and switching to Firefox.
______________________________
R.K.
http://www.Remove-All-Spyware.com; Reply to this comment View reply
Processing

This IM warm was discovered in India and not calif.
by nonicks May 23, 2006 8:00 AM PDT: Just Correcting the Data.; Reply to this comment

Temporary cure
by pentium4forever May 23, 2006 11:51 AM PDT: For cryin' out loud, people need to get off of IE and start using FF or Opera. It won't solve every problem no, but should be a temporary shield.; Reply to this comment View reply
Processing

simple final fix
by CaptDave86 May 30, 2006 5:26 AM PDT: a simple fix for all non-link based IM viruses is to ditch the client from Yahoo/AIM/MSN and get Trillian. its that simple. now you cant prevent stupidity like everyone was saying, where someone will click on the link. but what are you going to do? Ill admit it, i had clicked on a link, where the text before it stated: "how is this for a Myspace profile picture? and a link after it, that was stated as a jpg file, whne i clicked on it, IE tryed to DL a DAT file, well nothing on my computer defaults to open a DAT. so i got a little curious and wanted to open it up in notepad to see if it was a compiled DAT or a scripted DAT, and unfortunatly it was compiled and i couldnt see and of the code. i dont have a decompiler so i couldnt figure out how it worked.
But still, Trillian is the best approtch to getting rid of the nasty IM infested non-link viruses. i have been useing it for the last 6-7 years and never, ever have gotten infected with a IM based virus from it.; Reply to this comment

Latest tech news headlines

Opera 9.6 focuses on neglected features
Posted in The Download Blog by Seth Rosenblatt

October 8, 2008 12:01 AM PDT
Fix glitches by updating your software
Posted in Workers' Edge by Dennis O'Reilly

October 8, 2008 12:01 AM PDT
Government use of biometrics still raises privacy concerns
Posted in News - Politics and Law by Stephanie Condon

October 8, 2008 12:00 AM PDT
See all headlines

Resource center from News.com sponsors

You Need The Speed of Norton 2009

Introducing Norton Internet Security™2009

With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Unisys hopes ex-Gateway chief can turn it around
Struggling IT services company has chosen Edward Coleman, a man it says has a long history of transforming troubled tech companies, to take over as CEO.
Gallery
Photos: Messenger returns to Mercury
Digital Noise: Music and Tech
iPod dying? It's already dead.
In an interview this week, Apple cofounder Steve Wozniak said that the iPod would go the way of the Walkman and transistor radio. But in terms of innovation, the mantle passed to the iPhone more than a year ago.
Outside the Lines
No escape from the perfect financial storm
After this perfect storm, brewed out of years of habit and taken down by mortgages for the masses, consumers and businesses will be far more conservative in their spending habits.
Video
Daily Debrief: Talking with Newt Gingrich on tech, bailout
News - Digital Media
Click-to-buy links for songs, games added to YouTube
YouTube is adding links to Amazon.com and the iTunes Store from the pages of thousands of its videos, making it easier for people to buy an MP3 they hear or a video game that looks good.
Video
Mercury exposed
News - Politics and Law
Government use of biometrics still raises privacy concerns
Government and information technology industry representatives on Tuesday discussed how to make the public comfortable with the increasingly sophisticated ways the government collects identifiable information.
News - Cutting Edge
Astronaut training awaits Esther Dyson
The tech pundit and investor is girding for six months of training at Russia's Star City, as an understudy to International Space Station-bound Charles Simonyi.
Gallery
Photos: Top 10 reviews of the week
Crossfade
The Cute Lepers, 'Terminal Boredom': Free MP3 of the Day
Download a free MP3 of "Terminal Boredom" courtesy of CNET Download Music.
Green Tech
Army plans 500-megawatt solar thermal farm
A new Army energy strategy includes plans for what could become the world's largest solar thermal farm, as well as geothermal and biomass-to-fuel projects.