1 min read

[Malware Review] Trojan.Agent.Delf.RHO Owns Your Yahoo Messenger Account

Bogdan BOTEZATU

November 27, 2009

Promo Protect all your devices, without slowing them down.
Free 30-day trial
[Malware Review] Trojan.Agent.Delf.RHO Owns Your Yahoo Messenger Account

Today’s example details on an extremely dangerous Trojan with Worm capabilities that mostly affects Romanian YIM! users.

Called Trojan.Agent.Delf.RHO, this piece of malware spreads via links sent as instant messages on Yahoo! Messenger on the behalf of other infected users. In order to trick the user into accessing the malicious links, the Trojan places them in a valid context. For instance, some messages warn the victim that he / she is infected and should immediately download a cleaning utility via the
provided link, while others advertise an invisible / ignore contact scanner. Trojan.Agent.Delf.RHO seems to have its roots in Romania, since the messages it sends are written in Romanian.

The link takes the user to a web site or blog containing an embedded movie that requests the user to download a codec, which turns to be the Trojan itself. Upon execution, the setup file installs the following files: %WINDIR%system32yahooui.exe, %WINDIR%system32yahooauth2.dll, %WINDIR%system32ssleay32.dll, and %WINDIR%system32libeay32.dll.

The Trojan would wait for the user to sign into their account and then would start sending spam messages to the contacts in the user’s list.

Trojan.Agent.Delf.RHO is more than meets the eye: apart from being annoying, it also invites other friends to its party, such as the extremely dangerous Trojan.Spy.Banker.ACFQ,
which tries to trick the user into accessing phishing sites targeting e-banking services.

In order to avoid infections, we recommend that you install and regularly update a complete antimalware suite with antivirus, antispam, antiphishing and firewall modules.

Information in this article is available courtesy of BitDefender virus researcher Mihai-Andrei Livadariu.

tags


Author


Bogdan BOTEZATU

Bogdan is living his second childhood at Bitdefender as director of threat research.

View all posts

You might also like

Bookmarks


loader