RSS Alerts

Related Links

Related Stories

  • Spybot worm spreads via direct P2P file sharing
    Researchers have identified Spybot.AKB, a worm that spreads across P2P networks and email systems.
  • Nine Lives - Self-modifying Malware
    As the Conficker worm proved when it first appeared in October 2008, there’s more to a piece of malware code than meets the eye, especially when it is self-updating. But can self-updating also mean self-modifying? Steve Gold investigates whether an IT security manager’s nightmare has become a programming reality
  • Microsoft Conficker
    Microsoft's Conficker Cabal has been steadily registering domain names targeted by the Downadup/Conficker worm in a bid to choke off its update mechanism.
  • Downadup Worm Continues to Spread
    More evidence has appeared of the spread of a network work based on the RPC vulnerability that was found in Microsoft Windows in October. The network worm Downadup has failed to gain much traction on the open internet, according to anti-virus firm F-Secure, but is getting into corporate networks on a consistent basis.
  • Network Worms are Back
    If you thought the age of mass infections via network worm was over, think again. A worm exploiting a recently-announced Windows flaw has infected at least half a million machines in just a couple of weeks, according to experts.

News

IM worm runs wild online

05 May 2010

A network worm is spreading through Yahoo Instant Messenger, and has aggressively infected systems globally, according to security vendors.

Called Palevo by some, and Yimfoca by others, the malicious software is attacking users of Yahoo! Instant Messenger. It spreads itself by sending an instant message to a victim's contacts containing a link claiming to be a photograph. In reality, it points to a malicious executable.

BitDefender identified the executable containing a malicious payload as Worm.P2P.Palevo.DP. "Having an unprotected system infected with Palevo.DP is a synonym for mayhem," said the company in a statement. The worm creates several hidden files in the Windows folder and modifies registry keys to point toward those files, thereby bypassing the operating system's firewall.

"As with its siblings, Palevo.DP holds a backdoor component, which allows remote attackers to seize control over the compromised computer and do whatever they want with it – from installing additional malware and swiping files to launching spam campaigns and malware offensives on other systems."

According to Symantec, which identified the malware as W32.Yimfoca, it attempts to connect to a MySpace URL, indicating that organizers are possibly using the social networking site as a command-and-control channel. It stops processes running on the Windows host to disable the Microsoft Malware Protection Service and Windows Update, and then connects to another URL to download a configuration file. It uses port 2345 to connect to two other network addresses and wait for IRC commands, and finally spreads itself by sending messages that contain links to copies of the worm to all of the victim's instant messaging contacts.

The Palevo system has been spreading widely via the instant messaging infection vector, according to BitDefender, which says that it is also affecting users of peer-to-peer filesharing platforms. Ares, BearShare, Shareaza, iMesh, Kazaa, eMule and Limewire are being targeted by the worm, said the company, which reported that it is adding its code to their shared files. The spreading mechanism also infects network shares and removable USB storage devices, which are compromised via the autorun capability.

According to BitDefender, countries with the highest infection rates are Romania, Mongolia, Vietnam, Indonesia, Australia, Malaysia, Thailand, France, the UK, and Kuwait, in that order.

 

This article is featured in:
Internet and Network Security IT Forensics Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water