WEEKLY REVIEW

[Malware Review] Trojan.Agent.Delf.RHO Owns Your Yahoo Messenger Account

Instant messaging services are increasingly becoming essential parts of our lives, either for business or personal users, and it was just a matter of time until these applications got into malware authors

Today’s example details on an extremely dangerous Trojan with Worm capabilities that mostly affects Romanian YIM! users.

Called Trojan.Agent.Delf.RHO, this piece of malware spreads via links sent as instant messages on Yahoo! Messenger on the behalf of other infected users. In order to trick the user into accessing the malicious links, the Trojan places them in a valid context. For instance, some messages warn the victim that he / she is infected and should immediately download a cleaning utility via the
provided link, while others advertise an invisible / ignore contact scanner. Trojan.Agent.Delf.RHO seems to have its roots in Romania, since the messages it sends are written in Romanian.

The link takes the user to a web site or blog containing an embedded movie that requests the user to download a codec, which turns to be the Trojan itself. Upon execution, the setup file installs the following files:  %WINDIR%system32yahooui.exe, %WINDIR%system32yahooauth2.dll,  %WINDIR%system32ssleay32.dll, and  %WINDIR%system32libeay32.dll.

The Trojan would wait for the user to sign into their account and then would start sending spam messages to the contacts in the user’s list.

Trojan.Agent.Delf.RHO is more than meets the eye: apart from being annoying, it also invites other friends to its party, such as the extremely dangerous Trojan.Spy.Banker.ACFQ,
which tries to trick the user into accessing phishing sites targeting e-banking services.

In order to avoid infections, we recommend that you install and regularly update a complete antimalware suite with antivirus, antispam, antiphishing and firewall modules.

Information in this article is available courtesy of BitDefender virus researcher Mihai-Andrei Livadariu.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.