Fake Facebook worm spreading through Yahoo, IRC

  • August 1, 2010
  • 2 min read


In between email spams, twitter, facebook let us not forget one of the most prevalent medium a malware can spread around. Messengers have always been a popular medium for malware propagation and we at Emsisoft Labs recently came across worm like behavior attempting to spread through Yahoo! Messenger.

The initial picture is not too unfamiliar to someone using Messenger, with the popup of a random message window “Is this you on pic? Hxxp://hyperlink.

If the victim clicks the hyperlink, the default browser opens and download file prompt appears.  We found out the following few common executable download links

Analysing further we see the parent urls as below

On execution of the malicious file, it opens browser to http://browseusers.myspace.com/Browse/Browse.aspx which disguises itself running its own malicious activities in the background.

We did some initial research, and based on some loose strings from the worm we tried to find out the payload. The worm searches Yahoo! Messenger application by searching window class named “YahooBuddyMain”, and then emulates keyboard events to send fake messages to all Yahoo! Messenger contacts.

Incidentally the worm also tries to spread itself through IRC, below being an IRC log traffic event

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

The malware also monitors the keyboard strokes using GetKeyState and GetAsyncKeyState API, adding a possible keylogger activity.

Emsi

Emsi

Emsisoft founder and managing director. In 1998 when I was 16, a so called 'friend' sent me a file via ICQ that unexpectedly opened my CD-ROM drive, which gave me a big scare. It marked the start of my journey to fight trojans and other malware. My story

What to read next