A new and particularly virulent worm weaseled its way into the Yahoo Messenger community this week, infecting an unknown number of users after tricking them into clicking on a link masquerading as "foto" or "fotos" from someone in their contact list.
According to a Symantec blog posting, after a user clicks the link, the default browser is redirected to the worm executable, which is also disguised with a misleading name that somewhat resembles a Facebook or MySpace page where someone would expect to find personal photos.
Once the program is executed, the worm copies itself to %WinDir%infocard.exe, then it adds itself to the Windows Firewall List, stops the Windows Updates service and looks for the Yahoo Messenger application on the users' PC.
At this point, the worm then sends out links to the worm to everyone on the user's contact list and begins to download and execute other malicious files.
"We recommend Yahoo Messenger users to be especially careful with what types of files they are opening, and be cautious with links received even from well-known and trusted contacts," Symantec advised in its posting. "Many times, becoming a victim can be avoided just by asking the contact who sent the link whether it's real or not."
This isn't the first time a worm or other type of targeted malware has used Messenger or other instant messaging platforms to implant spam-spewing code or infiltrate personal data reservoirs.
Earlier this year, CIOs at more than 500 companies flatly stated that social networking sites, such as Facebook and Twitter, as well as instant messaging clients, are the largest threats to their companies' data.
Yahoo officials said they were aware of the scam and as of Thursday were still working to address the problem.
"Very recently we learned of an issue where some users have received spam messages in Yahoo Messenger from their contact list," Thyaga Vasudevan, a product manager for Yahoo Messenger, wrote in a blog posting. "Yahoo Messenger has quickly worked to resolve the situation."
Symantec (NASDAQ: SYMC) said this worm is affecting an unknown number of users running Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003 and Windows 2000 operating systems.