Yahoo Messenger Worm Infects Internet Explorer

By Clement James
VNUNet.com
05/22/06 8:24 AM PT

"This is one of oddest and more insidious pieces of malware we have encountered in years, and the first instance of a complete Web browser hijack without the user's awareness," said Tyler Wells, senior director of research at FaceTime Security Labs.

Security researchers have identified an "insidious" threat affecting Yahoo (Nasdaq: YHOO) Latest News about Yahoo Messenger.

A self-propagating worm, named yhoo32.explr, installs a piece of software called "Safety Browser" and then hijacks the Internet Explorer homepage, leading users to a site that puts spyware on their PCs.

Because Safety Browser uses the Internet Explorer icon to identify itself, users can easily mistake it for the legitimate Microsoft (Nasdaq: MSFT) Latest News about Microsoft browser.

This is the first recorded incidence of malware installing its own Web browser on a PC without the user's permission, according to security firm FaceTime.

The self-propagating worm spreads the infection to all contacts in Yahoo Messenger by sending a Web site link that loads a command file onto the user's PC and installs Safety Browser.

More at link:

http://www.technewsworld.com/story/50655.html

EDIT: COPYRIGHT. PLEASE POST ONLY 4 OR 5 PARAGRAPHS
FROM THE COPYRIGHTED NEWS SOURCE PER DU RULES.

and I'm wondering why I can't find a solution for removal anywhere! :shrug:
Not that I'm infected (I don't use IE) but Facetime seems to be the only one's reporting this.

---------------------------
http://www.facetime.com/pr/pr060519.aspx
Press Release

Self-Propagating Worm Installs Unsafe "Safety Browser"

FaceTime Security Labs Warns Against Homepage Hijack

FOSTER CITY, CALIF – May 19, 2006 –

Research experts at FaceTime Security Labs™ identified and reported a new threat today
affecting Yahoo! Messenger. FaceTime researchers confirmed that a self-propagating worm,
named yhoo32.explr, installs 'Safety Browser' and hijacks the Internet Explorer homepage,
leading users to a site that puts spyware on their PCs.
Because Safety Browser uses the IE icon, users can easily mistake it for Internet Explorer.
This is the first recorded incidence of malware installing its own web browser on a PC
without the user's permission.

The self-propagating worm spreads the infection to all contacts in Yahoo! Messenger by
sending a website link that loads a command file onto the user's PC and installs Safety
Browser. This spam over instant messaging (IM) is called spim.
IM applications and protocols are an increasingly popular vector to distribute malicious
files and executables.

"This is one of oddest and more insidious pieces of malware we have encountered in years,"
commented Tyler Wells, Senior Director of Research at FaceTime Security Labs.
"This is the first instance of a complete web browser hijack without the user's awareness.
Similar 'rogue' browsers, such as 'Yapbrowser', have demonstrated the potential for serious
damage by directing end-users to potentially illegal or illicit material.
'Rogue' browsers seem to be the hot new thing among hackers."

The India research arm of FaceTime Security Labs discovered the threat in a 'honeypot',
a trap they set to detect viruses, worms, spyware and other threats.
Commentary on this threat by FaceTime Security Labs researcher Chris Boyd can be found
on the Greynets Blog, at http://blog.spywareguide.com. FaceTime Security Labs is the
threat research division of IM and Greynet security leader FaceTime Communications.

Threat name: yhoo32.explr
Threat type: Browserware and worm
Who is affected: Users of Yahoo! Messenger
Additional Information: The malware infects the PC with two elements.

The first element is a web browser called "Safety Browser."
This stand-alone application has no uninstaller and disguises itself with an Internet Explorer
logo in some instances. The application also hijacks the personal homepage in Internet Explorer
and points users to Safety Browser's homepage (demoplanet.tv). The hijack also plays looped
music that cannot be stopped when the user starts up the PC or Safety Browser.

The second element is the self-propagating worm.
This worm installs an .exe file that spreads the infection through Yahoo Messenger
to everyone on the Contacts List.

W32.Browaf is a worm that sends a link to a copy of itself via Yahoo Instant Messenger and MIRC. It also modifies the Internet Explorer Home page.
Note: Definitions dated prior to May 24, 2006 may detect this threat as Backdoor.Trojan.
Also Known As: W32.Browsesafe
Type: Worm
Infection Length: 348,620 bytes.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

this name yhoo32.explr and yhoo32 on Symantec and recieved zero results.
They usually have more than one name listed or a cross link.
My YIM should be fine then. ;)

the brief time I used it.

When it first came out back in the day, it was "cool," but then I started getting annoyed at having absolutely no down time from people trying to get in touch with me. Between the home phone, cell phone, home phone voicemail, work phone voicemail, and three different email addresses, I finally figured there were enough ways to get in touch with me without my needing to add an IM.

preferences for IM's from contacts only. ;) I block unknowns.

I use YM to go to Yahoo Political Chatroom 10 and to talk to friends live!

(and you probably don't *need* Windows, you just think you do), then use GAIM.

because his computer is "acting funky" and he uses Yahoo all the time and Yahoo Messanger. He can't use it at all. I haven't looked at it yet. He has Norton anti-virus though. Wouldn't that catch it? Damn. Does anyone know what I should do? Should I run a Norton scan? Will that help? Keep in mind that you're talking to a computer illiterate here...that's me.;)

on NAV and then run a scan. I use automatic NAV updates. Much easier!

He gets a blue "Fatal Error Log On Canceled. C000021a The system has been shut down Due to Status of OXC0000135 OX00000000 OX00000000." Looks like another trip the the computer repairman.:(

Do you have a RECOVERY CD?? Use it!!

save your programs you installed.
Don't do a 'Full recovery' as it will wipe out all your programs!!
Hope I caught you in time! whew! ;)