The first time I encountered this problem was two weeks ago. I was using my PC when an instant message from my niece suddenly popped up. To my surprise, the message with some clickable link in it was written in Thai! Right there, I knew it didn’t come from my niece. Ignoring the message, I closed the YM window. After a few minutes, another message popped up. Then followed by another, and another, and another… Annoyed, I removed my niece from my YM’s contact list.
After a week, I received a similar instant message from my sister-in-law. This time, the message was an invitation to view some photos in some website by clicking the provided link. Since there was no other note included, I suspected that the message was not from her. My suspicion was confirmed when after a few seconds, another message was sent. Hmm, another compromised messenger account, I thought. I sent a message back and advised her to change her messenger password ASAP.
I initially thought that this was some kind of an instant messaging spam. After running a search in google, I realized that it is even worse. There seems to be two forms of attack, one is an actual virus/worm that spreads via instant messaging and the other is a phishing attack launched against YM users. For the latter, the attack usually starts with an instant message from the user’s contact list. The message usually includes a link to a Yahoo-looking site requiring visitors to login and thus revealing their yahoo id and password. The phisher then uses this information to trick other YM users in the contact list of the compromised account. Worse, the phisher also gains access to all personal information in the user’s other Yahoo accounts such as emails, photos, groups, etc.
The virus/worm version is reported to take control of your messenger, and send messages with website links to your contact list without your knowledge. When the link is clicked, the virus downloads a copy of itself to the user’s PC, disables the registry editor and task manager, hijacks Internet Explorer homepage, and leads users to sites that automatically install malicious softwares on their PCs. Moreover, there seems to be several variants of this virus/worm out there: Yh032.explr, w32.KMeth, Worm_Sohanad.B, etc.
If you are already infected, the easiest way to remove the virus/worm is to use system restore if you are using Windows XP. See Microsoft Help for details. Be sure to choose a restore point before you got the virus/worm and then scan your system for any signs of the virus/worm after the restore. Update your PC regularly and use an up-to-date antivirus program. If this doesn’t work, you can also check this site (http://de.trendmicro-europe.com/enterprise/…) for instructions on how to remove the Sohanad.B variant.
So, the next time a friend of yours sends you an instant message with suspicious links, beware! By clicking those links, you could be opening your PC to a lot of troubles. 🙂
I have an entry a couple of weeks ago regarding this issue. _http://www.ajalapus.com/blog/2006/11/02/was-the-messenger-virus-controlled/_
I suggest you use *Firefox* and some others recommend *Gaim.* Though I use only Firefox and my Yahoo! Messenger (official client) is vulnerable, clicking the link opened the window in my Firefox browser and nothing else happened–only IE is vulnerable to this and many other attacks.
i’ll keep that in mind. hehehe.
Hi,
My name is Amy Domestico and I am the Programming Manager for BlogTalkRadio.com.
First off I read your blog on the YM phishing thing and I had that happen to me and boy was it a pain in the neck. It resent to everyone on there list and then it was sending back to me it went on forever.
Also
I would like to talk to you about you using our internet radio platform to reach out to your people in a radio show forum. I believe our platform is perfectly suited for you. The shows air live, have unlimited universal streaming and are available for downloading and podcasting afterward.
I encourage you to take a look at our website, which is located at http://www.blogtalkradio.com. I would be more than happy to answer any questions you may have.
Thank You
Amy Domestico
Programming Manager
amydomestico@blogtalkradio.com
same thing has been trying to get into my computer.i did click the link and log onto the ‘yahoo site’ given (what was i thinking?) and i’m using firefox. the next day my friends were complaning that they got the link from me through YM. i scanned my pc using kaspersky but nothing was found and my pc seems to be ok at the moment.so i guess i’m still infected eventhough i’m using firefox.but would it be a lot worse if i’m using IE? should i restore my pc or take the necessary steps to get rid of the worm/virus and to protect my details? but there’s nothing wrong with my pc right now
hi radz, if you’re using firefox, maybe you’re not infected with the virus type. however, since you logged into the ‘yahoo site’, the phisher has now your login info, which he has been using to trick your YM contacts. this means that he has also access to all your yahoo account. change your yahoo password ASAP to minimize exposure.
thanks baggy, for the tip. changed my password already 😉
gyah! this happened to me too. my yahoo account was phished. i couldn’t risk losing my yahoo account so i e-mailed yahoo and had them fix it. they were courteous enough to do so.
anybody can help me i thing there virus in my yahoo massenger when i chat there something text coming in inviting my chat to open the sex windows the website..what will i do..not them to appear again..
lyn
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
very good
Yeah thats a kind of virus….
Now another virus is spreading in YM
namely “FUNNY UST SCANDAL”.
If you get infected by this virus, all the person on your list will get infected to….
thats all…. 😀
and take note.. IT CANNOT BE REMOVE AGAIN :d
I got this Virus >_<"
I installed Spybot so i can recover the damage on the registry
I'll suggest that you guys install Spybot ^_^ it copies your Registry so that when there's a problem with your registry you can
simply recover it ^_^ and i recommend Ad-aware too ^_^
can i ask a question.. do anyone here knows what is the infected system, or register does the FUNNY UST SCANDAL worm/virus attacks to manipulate your logs? tnx guys:D