You’ve have all probably been already told a hundreds of times to be careful when clicking on links in unsolicited emails and messages. But, what you also need to know and hear repeatedly is that you need to be careful even when following links found in messages from your friends.
Case in point: the Yahoo! Messenger worm that has recently been detected by Symantec.
Unsuspecting users have been receiving instant messages from people on their contact list that look like this:
The link is subject to change, but if the user follows it, he will be prompted to save the following file:
As the most alert users will notice, the real extension is not .jpg but .exe. As you might have guessed, the link leads to the worm executable, and if the user runs it once it’s saved, it will copy itself, add itself to the Windows Firewall List, stop the Windows Updates service and modify the registry in order to make itself run every time the computer boots.
It propagates itself by searching for the user’s Yahoo! Messenger and sending the same messages that started the infection in the first place to all the people in the contact list. To avoid bringing attention to itself, the first time that the executable is run, this page will open itself in the user’s browser.
So far, there is no indication that the worm is doing anything else besides what has been mentioned before, but with things like this you can never know for sure that it won’t also be used to download and execute other malicious files. The fact that it stops the Windows updating process is indication enough that this worm is up to no good.
Once again – if you receive messages like these, it is better to check with your contacts whether they have actually sent the link.