Today, Senior Anti-Threat Researcher Loucif Kharouni reported of a Yahoo Messenger (YM) message that is currently spreading in the wild. It is written in English and contains a link to some pictures of the Iraq war. The link was found to be malicious. Here is a screenshot of what is being received:



Copy-pasting the link into an Internet Explorer browser opens the following Web site:



When the Web site is accessed, the link becomes completely different. This is because once you try to access the picture, it redirects you to a malicious Web site, http://72.{BLOCKED}.170/~plobble/smail/lists/etc/index.php.



Once this happens, the malicious routine starts. It modifies your YM status into a message containing a malicious link. It also sends out the following messages and malicious links to each of your YM contacts:



Once installed and running on your system, it drops worm files and their components, creates processes, and prevents your system from running antivirus and security programs. Trend Micro detects the dropped files as WORM_SOHANAD.DC and WORM_SOHANAD.DJ. It also drops a copy of itself in the Windows startup folder so that it can run every time Windows restarts. It accesses the following Web sites, probably to download more malicious files:

• http://72.{BLOCKED}.170/~plobble/smail/lists/etc/worm2007.exe
  
• http://72.{BLOCKED}.170/~plobble/smail/lists/etc/worm2007.exe
  
• http://72.{BLOCKED}.170/~plobble/smail/lists/etc/YMworm.exe
  

As shown in the network capture of the infection below, you can see the request to download the file YMworm.exe (WORM_SOHANAD.DC) from the malicious Web site:



Users are advised to be wary of the said IM messages and not to click on links sent via YM, even if it comes from somone you know. Chances are, you might be already downloading WORM_SOHANAD into your computers.

Data provided by Loucif Kharouni, Senior Anti-Threat Researcher (Trend Micro EMEA)