New Yahoo Messenger Hijacker Trojan - An Indepth Explanation And Solution

[-Abhishek-]

So today, like any other day, I logged on to Yahoo Messenger only to be stormed by PMs from about 7 of my clients (serious people, for that matter) with kiddish text, smilies and a link to a common site. It didn’t take time for me to realise that something was very-very wrong here.

I began exploring and researching about it and even tried the link on various browsers on an old machine I have. My research drew a few conclusion. A few of you might be interested to read on.

This apparently is a new trojan that infects Internet Explorer and is a bait to get ad revenue.

Conclusions (Confirmed)
1. It uses msinet.ocx and web browser control for communicating with websites or downloading more file.
2. It begins by adding an unusual taskkil.exe in your System32 directory, which is a program to kill System Processes.
3. Creates a batch script located at C:\killav.bat to kill antiviruses.
4. It accesses XXX, where the developer may enter commands for the application to update itselves.
5. It then begins access to XXXX, which shows adbrite ads when opened in Firefox, maybe there is an autoclicking feature encoded.
6. It downloads the executable from YYY which it then renames to svchost32.exe
7. It also downloads the executable at YYYY

The developer seems to want this trojan to be termed “Termex” since he owns the domain Mytermex(dot)com (Donot Visit this Site) and has directories named “Termex” on the server where he hosts his Executables!

The code is no doubt a good one, but I’d have preferred if he must’ve used this knowledge for good. Now apparently this doesn’t seem to affect FireFox/Mozilla and Opera Browsers (Note the apparently) but IE users are doomed.

I am Infected! Now what ?
Don’t Panic Tech Guru has written a nice tutorial to save yourself from this Trojan, I haven’t tried it yet, but from the look of it ,it appears that it’ll work. So go ahead and find it here
http://www.newsfactor.com/blog_article.php?aid=305161

How does this spread ?
I am not aware of the other mediums but yes, I mselves have witnessed this propogating through Yahoo Messenger, and there is a possibility that it may send your Yahoo ID/Password to the attacker.
Possible PMs that you may get are

Quote:

damn, she is so cute hxxp://nsl-school.org?id=miss_world (Donot Open this URL in your Browser)

Quote:

have you ever seen such a silly man like this ? hxxp://nsl-school.org?id=stories (Donot Open this URL in your Browser)

Quote:

Download Free MP3s at hxxp://nsl-school.org?id=mp3 (Donot Open this URL in your Browser)

These Message are generally very tempting and make you click on the link, but once you do, You’re doomed!

!!!WARNING DONOT OPEN THE URLS BELOW IN YOUR BROWSER OR YOU MAY GET INFECTED!!!
XXX = hxxp://giftshop.vn/update.txt
XXXX = hxxp://www.myglobal-news.com
YYY = hxxp://italiandirectory.com/termex/host2.exe
YYYY = hxxp://italiandirectory.com/termex/host.exe

Possible Domains Owned by the Developer of this Trojan
hxxp://www.nsl-school.org
hxxp://www.giftshop.vn
hxxp://www.myglobal-news.com
hxxp://www.italiandirectory.com

I have managed to accumulate the above data, and will go on updating this post as I find more stuff.

If you found this article then please DIGG IT

Original Article on my Blog

Abhishek

[dotcompals]

Abhishek, thank you very much for this useful information

[-Abhishek-]

You're Welcome dotcompals ... Glad I could be of help!

For other's, to prove my point on how fast this trojan has been spreading!
You might want to see this,
http://www.alexa.com/data/details/tr...nsl-school.org

Abhishek

[fordP]

ouch, luckily i dont use IE. Thanks for the info

[-Abhishek-]

Quote:

Originally Posted by fordP

ouch, luckily i dont use IE. Thanks for the info

Nor do I, possibly this was why I was saved!

When I got the Yahoo! PM, my first reaction was that maybe my client launched a new site and had PMed me to inform about it (though it's quite unusual for him to do that)

But when I checked the link, I immediately found stuff to be wrong here!

When I went back to my offlines, I noticed the same message from a few more of them and so it led me into investigating it and the above report was then created by me!

If someone found it useful, then cheers!

Abhishek

[Bondat]

I hope my sister wont click it. Because sometimes they tend to click it eventhough I've warned them already.

[-Abhishek-]

Quote:

Originally Posted by Bondat

I hope my sister wont click it. Because sometimes they tend to click it eventhough I've warned them already.

That's the primary reason why I have made the URLs Not Clickable! And have given warnings in bold!
If they still goto the URLs ... then ...umm ... well you know it!

[pro_flash_4_u]

Solve all your problems, get a mac!

[RedruM*]

do you have to download it , or just go to the link ?

[Seiya]

With ie,just go to the link for sure lol. Im at school, its so tempting to check those links!

---

ahh lol, i accidentaly got to the site through alexa and IE auto download the virus. however, the school antiviruse caught me and now im being escorted by security to the detention hall! hahah just kidding , but yeh the antivirus got it and delted it!

[khasmoth]

Heres the message I received this morning.
Dont visit the link BTW

Code:

 Use this tool to remove viruses from your PC : http://myglobal-news.com/?id=virus_shield

[/quote]

Code:

sylailing (10/11/2006 9:31:52 AM): oh my god , i've won a 20000 usd lottery :O http://nsl-school.org/?id=winning_list . Come to my house tonight for a party !! >:D<

[-Abhishek-]

Your Friend has been infected by the very same trojan I mentioned! Give him/her the above link!

Abhishek

[khasmoth]

Quote:

Originally Posted by -Abhishek-

Your Friend has been infected by the very same trojan I mentioned! Give him/her the above link!

Abhishek

Yeah thanks for this link. Just wondering if she manually send the link to me as well? Or it's automatic?

[-Abhishek-]

It's automatic, the trojan Hijacks Yahoo Messengers and send IM to the people in the list.

It most likely imports the Address List from your Y! Messenger and utilises the "ymsgr:SendIM?Yahoo ID" to send those IMs to your list! Thereby propogating the link and infecting the people on the list!

Abhishek

[Indian]

I was about to click this link which was displayed as a friend's status on Yahoo Messenger. Thought it would be her picture and I use IE

[-Abhishek-]

Harry, you use IE ? Firewall pe sabko FireFox use karne bolta tha !!! Haha ...

Yes this affected a lot of people, I was surprised when I got the same PM from about 7 people! Thank your stars ... you're saved! Hehe

[Indian]

Quote:

Originally Posted by -Abhishek-

Harry, you use IE ? Firewall pe sabko FireFox use karne bolta tha !!! Haha ...

Yes this affected a lot of people, I was surprised when I got the same PM from about 7 people! Thank your stars ... you're saved! Hehe

I like Firefox but dunno...due to some reason I always click on the IE logo next to the start button. One thing I hate about FF is the tabs at the top...I am used to click multiple tabs at the bottom...Is there a way to bring those tabs below?

[-Abhishek-]

Tabbrowser Preference Extension Explained

Cheers!

Abhishek

[Indian]

Problem solved. Thanx Bro

[Nida G]

its also try to use our msn..but its not work correctly on it...but shit working on yahoo..I am also infected...thanks abheshak for solution...