Was the Messenger Virus Controlled?

For those using Yahoo! Messenger like I do, you could have encountered a friend sending links to some cool pics (s)he would like to show you. I wouldn’t have blogged this as my friend Nicole already did. But, it seems that those at Yahoo! have already controlled the spread by blocking the links causing them to just show up as “http://” and not the whole URI to the infected Web site.

I happened to encounter those messages weeks before I knew it was a virus but I use Firefox, and when I went to the Web site, it didn’t infect me at all.

I just hope other messenger programs implement a block for those infectious messages as well in one way or another if it would not be like the system Yahoo! is already using. Besides, not only Yahoo! Messenger is vulnerable to this, but also AOL Instant Messenger and Windows Live Messenger. If you use these two other messaging services, please tell me if they’re also properly responding to these attacks. More info about the virus can be found at the Trend Micro Virus Encyclopedia entry for WORM_SOHANAD.I

Happy IMing to you all! 🙂

Update: The spammers apparently knew about what Yahoo! has been doing to block the URL to their malware site as I’ve just received another spam message from a contact with the address still intact. They now encode a portion of the domain to circumvent the filters of Yahoo! Messenger servers. For example, instead of thecoolpics.com which is blocked by server filters, they now send addresses as thec%6folpics.com with %6f being a URL-encoded version of the letter o.

Get free Norton Antivirus software.

14 Replies to “Was the Messenger Virus Controlled?”

  1. I didn’t say I got the virus. I’m virus free, too. I’ve been infected once during the last two or three years by a trojan (whose installers are not usually detected by a/v software, but thankfully I have been capable of removing them. I hope I could get to use a Mac or a Linux, but, unfortunately, my family is not that geeky to try to get used to being on another system.

  2. Aja, Aja. Geek! 😀 Anyway, have I’ve been meaning to ask you about this. Have I been sending those messages too? Good thing I’m not that gullible to click links sent to me by my contacts, hah. As far as I know, I’m virus-free.

  3. You haven’t been. Besides, it would be easy to detect as your registry editor and task manager would be disabled as well as some a/v programs. And, your [probably IE] homepage would be changed to whatever URI the malware is distributing, making you download it again if ever you have already cleaned it.

  4. These things could easily be avoided if users would be more aware, read: actually read, the whole URI before clicking on it instead of just clicking on it right after seeing the “cool pic” words. Fuzzy or weird looking URIs would almost immediately indicate that it’s link to be cautious with.

    I’ve never been infected by a virus through this way, largely because I seldom use YM anymore. On the rare occassions, I could easily spot if the link is suspcious or not.

    So keep a sharper eye out for those links everyone. 😀

  5. [quote comment=”5056″]Why not just use GAIM?[/quote]

    It seems that Gaim currently has problems. I don’t think I’d try beta software for that reason, and because stable official IM clients still exist. Maybe other users would be more interested. Thanks for the tip, though! 😉

  6. ahhhhhhh… hehe! grabe pati ito pianpakialaman mo! joke lang. kaya ako ayoko ng offline message eh (kadalasan dun madamin ewan na link saken)

  7. actually, if you’re using Linux/Mac, you’ll be more inclined to try and test beta softwares. On Windows, it’s hard to do this stuff but on Linux, i usually try a new software every week.

    Oh, and btw, i’m using Gaim 2.0beta3 on Ubuntu Dapper and had just taught a protege on installing Gaim2.0beta4 on his Ubuntu Breezy only via chat. hahaha He was actually satisfied about it. Now, he knows how to install programs via the source (“make install”). I’d rather believe Gaim’s developers than Wikipedia. Such things are not actually problems – it’s very obvious that it’s recommended to get the stable version of a software.

    Well, the switch (to Linux) is not easy but I can recommend having a dual boot (windows + linux) or get a Mac instead (because they say that Mac is the closest *nix system to Windows).

    As for the YM, you may use meebo.com too.

  8. darn spammers. I’d still suggest using Gaim as an alternative. Run it in Ubuntu, worry no more about those friggin spammers and viruses.

  9. hey i accidentally clicked such link with the edited address theC%6foolpics.com/___.jpg BUT the thing is THE PAGE DID NOT LOAD. i’m using firefox with adblock and noscript. it said either i did not write the proper link, some firewall prevented the page from loading, or there was a server error. i’m using McAfee firewall plus and antivirus.

    i immediately figured this link is definitely not good news. so i searched the net and found that it’s indeed a worm. i ran AdAware and one tracker cookie was found. it got automatically deleted and i deleted the archive in the quarantine as well. McAfee did not find anything infected.

    i checked regedit. it’s not disabled and still pretty much clear of cvhost keys.

    i’m sorry to be bothering you but i just really need someone’s opinion on this. Do you think my computer has been infected in the first place? i mean, with the page not loading to begin with.

    does the worm/malware spread even if the page failed to load? does the effect take place after computer reboot? because i havent rebooted yet and as of now (3 hours after i clicked the link) my regedit is enabled, my homepage is still not changed,i still have control over my ym status, and generally everything is still going smoothly.

    sorry for the bother but i hope i’d get a reply!
    thanks in advance,
    sath

  10. I don’t think you’ve been infected at all. I am thinking about two possibilities you may have encountered. [1] Maybe you were just lucky a network or connection error caused the page load to fail. And you said you were using Firefox, I believe Firefox users aren’t vulnerable to this. [2] Maybe [and hopefully] the Web host discovered its user has been spreading malware attacks and wiped the worm off of its system, though this is more unlikely to happen as I really do not know if the site is remotely hosted or not.

  11. hi please help me i got this cool pic virus & it has been spead in 3 of my pC i am really scared & evern i have tried that Firefox It is also not helping me.

Comments are closed.