MediaBizTech

Robert Freeman's whole Media, Business and Technology thing. Sorted.

Yahoo instant message hijack virus going round

with 20 comments

This afternoon, I’ve seen what I assume to be two of my contacts on Yahoo infected by some kind of trojan/worm hijack, and a type I’ve not come across before.

It’s very common on Yahoo IM at least to have random users attempt to add you, if you accept a chat bot will attempt to send you a link to their “webcam” or similar and if you click, you’ll probably get some kind of drive-by download infection.

The attack attempt I saw today is different. The virus hijacks the Yahoo Instant Message client and sends out a chat stream to people you already know on IM. So rather than seeing the obvious chat bot from a random user who’s just added you, it comes from someone you already know. Scary and dangerous.

Here’s a transcript of the chat script … I didn’t realise it wasn’t my friend until the link showed up. I bet many unsuspecting people do click through:

contact: you there?
me: hey
contact: will you do me a quick favor and take an IQ quiz for a project im doing?
me: haha sure
contact: I need to see how many people out of my friends get over a 115.
me: what’s my prize?
contact: just go to  http://nastytrojanvirus.com/?invitecode=dxk4infa79 and take the test.. if you do ill owe you big time.
me: yeah, don’t think I’m clicking that somehow
contact: please let me know what score you get. thanks so much
me: rest assured I won’t
contact: im going to go cook while you do it
me: what does a bot cook?
contact: BRB, let me know your score when im back!
me: bot bot bot

The link it sends appears to go to a slightly different domain each time (the first was to iqtestingkoia, the second to iqtestinghiki3)

It’s also interesting that the bot appears to both initiate chat sessions and respond to them. The first time I saw the attack attempt, the chat was initiated by the bot.  But the second time I saw it, half and hour later, I initiated the chat session with a friend I just saw come online.

Anyone else seen this?

Advertisements

Written by Robert

4 March, 2011 at 4:51 pm

Posted in Software

Tagged with , , , ,

20 Responses

Subscribe to comments with RSS.

  1. yeah it’s going around yahoo messenger like wildfire…just google “IQ test yahoo messenger” and you’ll find many others. it’s quite the scam. the bot also knows terms like “hack” and “virus” – so in some instances if you respond to the messages saying “you’ve been hacked” it will say “no, it’s me” or “believe me”, etc. …apparently if you click on the link and take the test, they then ask for your mobile phone number to see the results. you’ll then get subscribed to one of those pay services and billed monthly via your phone bill. tell your friend to change their yahoo password and do both virus and adbot scans on their PC.

    drew

    7 March, 2011 at 8:20 am

  2. setelah ganti password, bot sudah tidak muncul lagi

    celi

    9 March, 2011 at 12:03 am

    • bahasa inggris: “after changing the password, the bot has not appeared again”

      Drew

      9 March, 2011 at 12:23 am

      • I am getting those messages too,do you think my friend readed the email i send to him leting him know what is going on from his yahoo ID ?

        ina

        9 March, 2011 at 1:26 am

  3. Yep, I’ve seen this. and the bstrangest thing is that it seems to come from people I speak to the least often… curious that.

    Steve

    9 March, 2011 at 10:33 pm

  4. Maybe abandoned YIM accounts make the best targets?

    Robert

    9 March, 2011 at 10:35 pm

  5. @Robert: dont think these are abandoned accounts, after all I receive email from a couple of them occasionally… some one has explioted a weakness in the system – only apparent since a recent upgrade…

    Steve

    9 March, 2011 at 10:45 pm

  6. contact says
    will you do me a quick favor and take an IQ quiz for a project im doing?
    me says
    lol sure
    contact says
    I need to see how many people out of my friends get over a 115.
    me says
    ok
    contact says
    just go to http://iqtest7625.com/?invitecode=9kuy1a0b25 and take the test.. if you do ill owe you big time.
    me says
    David, what is your favorite band ?
    contact says
    please let me know what score you get. thanks so much
    me says
    when was your first kiss ?
    contact says
    im going to go cook while you do it
    me says
    i think you are a virus bot, how do you think ?
    contact says
    lol no, stop doubting me
    me says
    virus bot mother fucker
    cook ? yea right
    contact says
    brb, let me know your score when im back!
    me says
    cooking crack maybe

    Jason

    16 March, 2011 at 7:38 pm

  7. I think there is a new one. I added a id I thought was a friend only this id, keeps asking me if I like women with big boobs or big booties. Then asks if I want to view her webcam. Same thing every time.

    Lacey

    6 May, 2011 at 4:16 am

  8. I just got this from a traveling friend that works all over the US. He hardly talks on yahoo and when I saw him with this I assumed ( him being the gambling and risk taking type) it was for real. Same scenario here, “I am about to lose a bet and click this IQ test blah blah.” But unlike you guys, I get a blank page akin to a broken link. Twice it occurred with the same thing, yet it seems not to do anything but send me to a blank dead page with nothing on it. So I guess I can’t be affected by it as my computer auto blocks it I believe (by the notion it doesn’t load the page).

    David

    9 August, 2011 at 3:54 pm

  9. I’ve gotten IMs from random names that I don’t even know with a blank IM every once in a while.

    Andy

    12 December, 2011 at 8:56 pm

  10. This just happened to me from one of my old friends who I haven’t talked to or seen on Yahoo in a looong time, so I’m thinking the same thing! I didn’t click on the link! Soooo glad I didn’t!

    QiyahBoo

    14 December, 2011 at 9:13 pm

  11. I just had this happen this week. It was from a friend of the opposite sex that I usually have teasing and provacative conversation threads. This IM asked me why I just posed sexy pics on my profile. I asked “what r talking bout” and it responded with a link. Then told me they had new web cam, would I test it with them…then gave me step by step instructions on how to view thru IE browswer using a site. Later in this week, friends called and emailed me that my account was hacked. It was random, not all my IM contacts. They got the IM it asked if they were on web cam! Several fiends KNEW that was not from me. Definitely a bot that pretty smart. Running malware/virus checking stuff now. Haven’t found it yet.

    Kimber

    10 February, 2012 at 8:19 pm

    • This is exactly what happened to me! Does anyone know if the virus is on the receiving chat pc or the sending pc?

      Melissa

      1 June, 2012 at 2:51 pm

  12. same to my part.. exactly what happened!! i didn’t click on the link!! does any one knows if the virus is on the receiving chat?

    dais

    8 June, 2012 at 12:53 pm

  13. same here i have friends on my list i havent tlk to in years but ever blue moon they pop up but every freaking time i sign in these bots keep talking about a stupid webcam and iq test……

    Kiante D. Hines

    11 August, 2012 at 8:31 pm

  14. Me and my husband have received several texts on our cells from numbers we don’t recognize! They usually call us by name saying “Hey April I haven’t heard from you in a awhile!” so then I will ask who it is and they will tell us to go on yahoo messenger and chat with them there. So I continue to ask who it is and they always say their battery is about to die or the have no reception so go to Yahoo messanger and give us an address(sammygirlie89 or textflirt3)! My husband and I have receive the texts around the same time and it happens about every other month! Is anyone else having this issue?

    April battle

    1 December, 2012 at 10:54 pm

    • That’s a new one on me – IM spam moves onto mobiles! 😦

      Robert

      27 January, 2013 at 11:24 pm

  15. […] Moreover, hackers can send links to your employees that send them to websites that might contain malware and viruses. In addition to that, those links might send employees to adult websites. For example, users of Yahoo Messenger have reported that their contacts are getting messages that appear to be sent from their accounts. Some of those messages just direct people to websites. Others are rife with viruses and malware. […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: