Sunday, May 2, 2010

About Yahoo Messenger Viruses!


The first time I encountered this problem was two weeks ago. I was using my lappy when an instant message from my niece suddenly popped up. To my surprise, the message with some clickable link in it was written in Thai! Right there, I knew it didn't come from my niece. Ignoring the message, I closed the YM window. After a few minutes, another message popped up. Then followed by another, and another, and another... Annoyed, I removed my niece from my YM's contact list.


After a week, I received a similar instant message from my one of my friend. This time, the message was an invitation to view some photos in some website by clicking the provided link. Since there was no other note included, I suspected that the message was not from her. My suspicion was confirmed when after a few seconds, another message was sent. Hmm, another compromised messenger account, I thought. I sent a message back and advised her to change her messenger password ASAP.

I initially thought that this was some kind of an instant messaging spam. After running a search in Google, I realized that it is even worse. There seems to be two forms of attack, one is an actual virus/worm that spreads via instant messaging and the other is a phishing attack launched against YM users. For the latter, the attack usually starts with an instant message from the user's contact list. The message usually includes a link to a Yahoo-looking site requiring visitors to login and thus revealing their yahoo id and password. The phisher then uses this information to trick other YM users in the contact list of the compromised account. Worse, the phisher also gains access to all personal information in the user's other Yahoo accounts such as emails, photos, groups, etc.

The virus/worm version is reported to take control of your messenger, and send messages with website links to your contact list without your knowledge. When the link is clicked, the virus downloads a copy of itself to the user's PC, disables the registry editor and task manager, hijacks Internet Explorer homepage, and leads users to sites that automatically install malicious softwares on their PCs. Moreover, there seems to be several variants of this virus/worm out there: Yh032.explr, w32.KMeth, Worm_Sohanad.B, etc.

Y! Messenger viruses take advantage of the program's vulnerabilities that come with Java script and VBS. You can be infected simply by clicking a link to a picture (.JPG). When the page presenting that picture loads, java scripting run's a VBS (visual basic script - works on any Windows machine) that rewrites data on your harddisk. After you get infected, the virus starts sending mass messages to all contacts in your list asking them to follow a link, like in the example bellow. The messages vary, being generated randomly from different keywords from the virus's database.

If you are already infected, the easiest way to remove the virus/worm is to use system restore if you are using Windows Vista/7. See Microsoft Help for details. Be sure to choose a restore point before you got the virus/worm and then scan your system for any signs of the virus/worm after the restore. Update your PC regularly and use an up-to-date antivirus program. If this doesn't work, you can try to do the next steps:


1: Close the IE browser. Log out messenger / Remove Internet Cable.

2: To enable Regedit

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

3: To enable task manager : (To kill the process we need to enable task manager)

Click Start, Run and type this command exactly as given below: (better - Copy and paste)

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

4: Now we need to change the default page of IE though regedit.

Start>Run>Regedit

From the below locations in Regedit chage your default home page to google.com or other.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main

Just replace the attacker site with google.com or set it to blank page.

5: Now we need to kill the process from back end. Press Ctrl + Alt + Del

Kill the process svhost32.exe . ( may be more than one process is running.. check properly)

6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.

7: Go to regedit search for svhost and delete all the results you get.

Start menu > Run > Regedit >

8: Restart the computer. That’s it now you are virus free.

I don’t know whether any removal patch that works for such Trojans/viruses. But we can easily delete them manually.

As a precaution steps, please download anti-virus & anti-malware software from the provider NOT somewhere like download.com - you're just as likely to end up ADDING more bugs.
ESET Node32 is good to prevent the viruses. Malwarebyte anti-malware also can be used to protect your PC from any malware.

And DO NOT uninstall Yahoo Messenger what ever you do - the virus's signature will likely be attached to the program itself. If that is the case, you can buy the bugger deeper in your PC and make it even MORE difficult for your anti-viral/anti-malware software to remove the problem. If Messenger needs to be removed at all, your client will remove it whilst removing the virus/malware, or let you know afterwards if you need to do so.

0 comments:

Post a Comment