Learn, Unlearn and Relearn

May 2010 - Posts

Complex IM Worm Infects Yahoo! Messenger and Skype Users

Security researchers warn that a new worm is targeting instant messaging users. Spotted on Yahoo! Messenger (YM) and Skype, the attacks use sophisticated social engineering techniques to trick users into infecting themselves.

t certainly looks like IM worms are making a comeback on the threat landscape, as this is the second malware of this kind to emerge in under a week. Just this Monday, the online community was abuzz with news of a worm rapidly spreading through Yahoo! Messenger. The threat was so serious that BitDefender saw fit to release a standalone removal tool.

Worm description :

The Worm.P2P.Palevo.DP spreads automatically through spam using instant messaging platforms. It sends a message asking users to save a JPG file. The file is in fact the Worm.P2P.Palevo.DP itself. When the file is launched a virus will infect the host.
The worm creates four hidden files in Windows directory:
Then it modifies a few registry keys to deactivate the firewall:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = "%Windir%\infocard.exe"] KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = "%Windir%\infocard.exe"] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ [Firewall Administrating = "%Windir%\infocard.exe"]
Using this tool you will be able to remove the Worm.P2P.Palevo.DP from your system, if infected.

The link for the remover tool is:

The messages used to lure potential victims are more enticing and variate with each attack. "Does my new hair style look good? bad? Perfect? ;)" or "My printer is about to be thrown through a window if this pic won't come our right. You see anything wrong with it?" are just two examples. Also, the spammed image URLs end in actual .JPG and point to a RapidShare lookalike website called
Hitting the download button on the page prompts the download of an archive file called Inside the archive, there is a .COM MS-DOS executable file deceptively called, which installs a variant of a backdoor named Tofsee, Flot or Skyhoo, depending on antivirus vendor.
Bkis points out that while Skyhoo installs an IRC botnet client, just as Ymfocard, the new worm is much more complex. For one, it is able to block antivirus software from functioning properly and uses a rootkit component to hide itself. Moreover, it also adds malicious links to any Word and Excel document opened on the computer or any email composed in Outlook. It also infects removable USB drives and creates an autorun.inf file to execute itself.
YM and Skype users are advised to exercise increased caution when choosing to open links received from their friends and, as always, connect to the Internet with a capable and up-to-date antivirus product installed. At the time of writing this article, only 13 out of 41 AV engines on VirusTotal detect the .COM file as being infected.

Posted: 05-08-2010 11:08 AM by RAVI SINGHAL with no comments

How to Try the New Google Search

Confirmed. The rumors about Google's redesign are true, and you can try it for yourself with a very simple method.


1. Go to

2. Once it loads, enter this code into your web browser's URL address field:


There shouldn't be any in front of that. Just that code.

3. Hit enter.
4. Reload or open a new page and you will have access to the new user interface.


It's fast and sweet, although the changes don't affect all the available sections.

Posted: 05-05-2010 10:50 PM by RAVI SINGHAL with no comments