Security firm Symantec this week issued a warning about the existence of a new Yahoo Messenger worm making the rounds. According to Symantec, the worm has been spreading by sending messages to victims from contacts in their list. The compromised IM contains a link claiming to be a photo, but really points to a malicious executable on the Web.
Clicking the link itself won't harm your PC. Instead, the worm relies on old fashioned tech newbness in hopes that the potential victim won't pay attention to the file they're downloading, which is a dirty executable and not a JPEG, PNG, or any other image file.
If executed, the worm copies itself to %WinDir%\infocard.exe and then adds an exception for itself to the Windows Firewall List. It also stops the Windows Updates service and sets a registry value so that it runs on bootup. If you suspect your or someone else's PC has been compromised, the registry value you're looking to eradicate is:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Firewall Administrating" = "%WinDir%\infocard.exe"
Anyone run into this?
Image Credit: Symantec