[ISN] IM worm installs 'safe' Web browser

From: InfoSec News (isn@private)
Date: Mon May 22 2006 - 22:22:35 PDT


By Joris Evers 
Staff Writer, CNET News.com
May 22, 2006

A new instant messaging worm installs a rogue Web browser called
"Safety Browser" and hijacks the user's Internet Explorer home page,
experts have warned.

The worm, dubbed "yhoo32.explr" by FaceTime Security Labs, was found
two weeks ago on the Yahoo instant messaging network and was still
active as of Friday, Tyler Wells, senior director of research at
FaceTime, a seller of instant messaging security products, said in an

The worm drops the "Safety Browser" on the target's machine. The rogue
browser uses the same icon as Microsoft's IE Web browser and, when
opened, takes users to a site that installs spyware on the PC,
FaceTime said. "This is the first recorded incidence of malware
installing its own Web browser on a PC," the company said in a

The pest also sets the victim's IE home page to Safety Browser's Web
site and plays looped music that cannot be stopped, FaceTime said.  
Additionally, when installed the worm sends itself to all of the
infected user's contacts, the security company said.

The new threat arrives as a link in a message box on the target's PC.  
The link may also say "Goat_Ensem Bot" with a smiley. After someone
clicks the link, at least one warning will be displayed to tell the
user that software is about to be downloaded or installed and that
this may be malicious, Wells said.

Researchers at Foster City, Calif.-based FaceTime discovered the pest
after it hit on one of their test machines. These PCs are connected to
instant messaging networks and typically logged in to chat rooms,
which often are the starting point for new IM worms.

IM users can protect themselves against this and many other IM threats
by not clicking unexpected or unsolicited links.

Copyright 1995-2006 CNET Networks, Inc

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Mon May 22 2006 - 22:40:44 PDT