MSN Messenger & Yahoo! Mail Hit By Worms

Panda Labs is reporting that the worm they have named BlackAngel.B (the technical name for this worm is W32/BlackAngel.B.worm) is being spread primarily via MSN Messenger. Currently it is rated in the wild as a threat level 1, which is their lowest. The worm can possibly cause the following damage:

BlackAngel.B is a worm that attempts to disable the processes belonging to several security tools, such as antivirus programs and firewalls, among others. It prevents users from accessing certain operating system tools such as the Task Manager and the Registry Editor.

Additionally, it shuts down the computer. This way, the information that had not been saved until that moment could not be recovered.

Also according to Panda, it is fairly easy to recognise, - File name: fantasma.avi.exe.
- Icon: uses the same icon that Windows Media Player.
- Size: 385,024 bytes.
- Programmed with Visual Basic.

It sends one of the following messages to all Messenger contacts:

"jaja look a that http://<>/fantasma.zip"
"mira este video http://<>/fantasma.zip jaja" Further information with images is available at the Panda Labs Encyclopedia Site.

The second worm attack users are being warned of today, JS/Yamanner@MM, targets Yahoo! Mail. According to The Washington Post, Security experts are warning of a new e-mail worm that takes advantage of a flaw in Yahoo's Web mail system to redirect users to advertising sites and to spread the worm to everyone in the victim's e-mail address book.

Due to the increase in news reports, AVERT at McAfee Antivirus has issued a low-level advisory, and released an extra DAT file to it's subscribers.

The WaPo article quotes an advisory from Symantec Security Response (Norton AV) stating

"JS.Yamanner" exploits an unpatched Javascript vulnerability that kicks in when when the user opens an e-mail infected by the worm. Unlike most e-mail-based worms -- which launch when the recipient clicks on an infected file attachment -- this one spreads merely by getting the user to open the e-mail.

In addition to the above report from the Washington Post, SANS Internet Storm Center is reporting on its' website that The release of a new version barely two hours after we started our analysis which partially fixes the first version indicates that the code is very much under development and you should assume that the remaining bugs will be rapidly ironed out.

To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it. It searches for both @yahoo.com and @yahoogroups.com e-mail addresses.

In an update from SANS, they are now quoting Yahoo! as saying - Yahoo! is aware of the issue and is working on a fix, in their words "Yahoo! Mail is blocking most of these messages, and is working on a fix."

I would urge all of you to read the specifics of these two worms at the links provided above, and of course it goes without saying make sure your AV and Firewall apps are currently up to date.