A piece of malicious advertisement that leads to a Vietnamese website has been displayed for a couple of hours on all Yahoo Messenger windows in the world. It appears he Yahoo Messenger client has been instructed to display a banner linking to Vietnamese website laban.vn for four hours.
It is not yet clear whether the banner has reached YIM customers following a legit advertising campaign that was modified by the advertiser later, or if it is an abusive attack that exploits a bug in the Yahoo Ad services. One thing is certain: users who followed the neatly crafted banner (a novel apparition for most YIM users that simply had to be checked out) were directed to laban.vn, where they were prompted to install an exe file.
When run, the application looks for installed browsers, then hijacks the start page of each one to hxxp://laban.vn [handle with care]. This would be normal behavior for a browser add-on or toolbar, but there is more to the application than that: it adds itself to the Windows startup entries, so it can start at every system boot. When started, the application hijacks the browser start page over and over again.
If you have already installed the respective exe file, simply changing the browser’s start page won’t be enough. We offer a free removal tool that eliminates all traces of the laban.vn hijacker and restores the browser start page to about:blank.
The removal tool can be downloaded for free from the Bitdefender Labs Downloads Area. Update: this removal tool supports both 32- and 64-bit operating systems.
Some information in the article provided by virus researcher Octavian Minea. Removal tool courtesy of malware researcher Gabriel Ciubotaru.