Yahoo IM worm plants fake ‘safety browser’

Researchers at FaceTime Security Labs have discovered a worm that installs its own web browser onto affected PCs after it's downloaded through an instant messenger (IM) program.

The yhoo32.explr worm spreads through Yahoo Instant Messaging by a link that leads users to Myspace and forum message boards. After the file is downloaded, looped music – heavy with drums and electric guitar – blare from an infected PC, according to FaceTime’s Spyware Guide blog.

Once the worm, posing as a "location technology" download for localized content, is downloaded, a new web browser – called the "safety browser" appears on an affected PC’s desktop.

When the affected user checks the profile of another Yahoo IM user, the worm sends an infection link to another user, according to FaceTime.

In some cases, the malware takes a user to a site offering supposed free gifts, which are actually links to hijack sites that bombard users with viruses, adware and spyware, according to the security firm.

"This is one of the oddest and most insidious pieces of malware we have encountered in years," said Tyler Wells, senior director of research at FaceTime. "This is the first instance of a complete web browser hijack without the user's awareness."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.