A new instant messenger worm has been discovered by FaceTime Security Labs [http://facetime.com/securitylabs/threatdetail.aspx?id=2812]. This worm installs a new web browser called "Safety Browser", it changes and hijacks all Internet Explorer settings to be open and insecure, it uses the same icon as Internet Explorer, and it plays a looped song everytime your computer starts. Once it is installed, the worm spreads itself to other users on your Yahoo! Messenger contacts list.
ResNet understands this worm to act similar to the AIM Virus. It distributes links to your contacts trying to trick them into installing the browser. A good instant messaging practice is to avoid directly clicking on links in any instant message you receive. Safer practice would be to reply to the user asking what the link actually goes to. Sometimes these worms will show a link going to a known website, but actually link (inside the code) to a malicious website. Most instant messenger applications will show the real link if you hover over the link with your mouse for several seconds. If the link in the code does not match the link displayed, you should not go to the website.
Currently there is no known uninstaller for this Yahoo! Messenger worm. ResNet will continue to research this peice of malware. If we find it is not supported by our current malware products, we will build an uninstaller and assist users in removing any infection they may obtain. Please, verify any instant messenge links prior to opening them!
