May 22, 2006 6:35 PM PDT

IM worm installs 'safe' Web browser

A new instant messaging worm installs a rogue Web browser called "Safety Browser" and hijacks the user's Internet Explorer home page, experts have warned.

The worm, dubbed "yhoo32.explr" by FaceTime Security Labs, was found two weeks ago on the Yahoo instant messaging network and was still active as of Friday, Tyler Wells, senior director of research at FaceTime, a seller of instant messaging security products, said in an interview.

The worm drops the "Safety Browser" on the target's machine. The rogue browser uses the same icon as Microsoft's IE Web browser and, when opened, takes users to a site that installs spyware on the PC, FaceTime said. "This is the first recorded incidence of malware installing its own Web browser on a PC," the company said in a statement.

The pest also sets the victim's IE home page to Safety Browser's Web site and plays looped music that cannot be stopped, FaceTime said. Additionally, when installed the worm sends itself to all of the infected user's contacts, the security company said.

The new threat arrives as a link in a message box on the target's PC. The link may also say "Goat_Ensem Bot" with a smiley. After someone clicks the link, at least one warning will be displayed to tell the user that software is about to be downloaded or installed and that this may be malicious, Wells said.

Researchers at Foster City, Calif.-based FaceTime discovered the pest after it hit on one of their test machines. These PCs are connected to instant messaging networks and typically logged in to chat rooms, which often are the starting point for new IM worms.

IM users can protect themselves against this and many other IM threats by not clicking unexpected or unsolicited links.

See more CNET content tagged:
FaceTime Communications, IM, Web browser, worm, Yahoo! Inc.

16 comments

Join the conversation!
Add your comment
IM Worm
It should be very effective if it does in fact sends it self to the victims contacts, average computer users know little about worms and spyware. Another good example which demonstrates the need for reliable anti-spyware software and making people aware. As well as discontinue using the old IE and switching to Firefox.
______________________________
R.K.
<a class="jive-link-external" href="http://www.Remove-All-Spyware.com" target="_newWindow">http://www.Remove-All-Spyware.com</a>
Posted by Roman12 (214 comments )
Reply Link Flag
???
How is Firefox going to prevent this? Firefox is not going to solve every virus problem known to mankind. The fact that the computer warns you that you are downloading someting and it might be dangerous is good enough. You can't prevent stupid people from doing stupid stuff. You can either block and deactivate things without people knowing or asking the user if its ok to do this. If they say "yes, please download this virus." Then there is nothing anyone can do.
Posted by Gasaraki (183 comments )
Link Flag
This IM warm was discovered in India and not calif.
Just Correcting the Data.
Posted by nonicks (89 comments )
Reply Link Flag
Temporary cure
For cryin' out loud, people need to get off of IE and start using FF or Opera. It won't solve every problem no, but should be a temporary shield.
Posted by pentium4forever (192 comments )
Reply Link Flag
Reading the article might help...
The worm isn't installed through Internet Explorer, IE does not have an IM component. So switching to Firefox will do absolutely nothing to prevent infection with this worm. Duh...
Posted by twagnerma (3 comments )
Link Flag
simple final fix
a simple fix for all non-link based IM viruses is to ditch the client from Yahoo/AIM/MSN and get Trillian. its that simple. now you cant prevent stupidity like everyone was saying, where someone will click on the link. but what are you going to do? Ill admit it, i had clicked on a link, where the text before it stated: "how is this for a Myspace profile picture? and a link after it, that was stated as a jpg file, whne i clicked on it, IE tryed to DL a DAT file, well nothing on my computer defaults to open a DAT. so i got a little curious and wanted to open it up in notepad to see if it was a compiled DAT or a scripted DAT, and unfortunatly it was compiled and i couldnt see and of the code. i dont have a decompiler so i couldnt figure out how it worked.
But still, Trillian is the best approtch to getting rid of the nasty IM infested non-link viruses. i have been useing it for the last 6-7 years and never, ever have gotten infected with a IM based virus from it.
Posted by CaptDave86 (30 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.