The first time I encountered this problem was two weeks ago. I was using my PC when an instant message from my niece suddenly popped up. To my surprise, the message with some clickable link in it was written in Thai! Right there, I knew it didn’t come from my niece. Ignoring the message, I closed the YM window. After a few minutes, another message popped up. Then followed by another, and another, and another… Annoyed, I removed my niece from my YM’s contact list.
After a week, I received a similar instant message from my sister-in-law. This time, the message was an invitation to view some photos in some website by clicking the provided link. Since there was no other note included, I suspected that the message was not from her. My suspicion was confirmed when after a few seconds, another message was sent. Hmm, another compromised messenger account, I thought. I sent a message back and advised her to change her messenger password ASAP.
I initially thought that this was some kind of an instant messaging spam. After running a search in google, I realized that it is even worse. There seems to be two forms of attack, one is an actual virus/worm that spreads via instant messaging and the other is a phishing attack launched against YM users. For the latter, the attack usually starts with an instant message from the user’s contact list. The message usually includes a link to a Yahoo-looking site requiring visitors to login and thus revealing their yahoo id and password. The phisher then uses this information to trick other YM users in the contact list of the compromised account. Worse, the phisher also gains access to all personal information in the user’s other Yahoo accounts such as emails, photos, groups, etc.
The virus/worm version is reported to take control of your messenger, and send messages with website links to your contact list without your knowledge. When the link is clicked, the virus downloads a copy of itself to the user’s PC, disables the registry editor and task manager, hijacks Internet Explorer homepage, and leads users to sites that automatically install malicious softwares on their PCs. Moreover, there seems to be several variants of this virus/worm out there: Yh032.explr, w32.KMeth, Worm_Sohanad.B, etc.
If you are already infected, the easiest way to remove the virus/worm is to use system restore if you are using Windows XP. See Microsoft Help for details. Be sure to choose a restore point before you got the virus/worm and then scan your system for any signs of the virus/worm after the restore. Update your PC regularly and use an up-to-date antivirus program. If this doesn’t work, you can also check this site (http://de.trendmicro-europe.com/enterprise/…) for instructions on how to remove the Sohanad.B variant.
So, the next time a friend of yours sends you an instant message with suspicious links, beware! By clicking those links, you could be opening your PC to a lot of troubles.