Yahoo Messenger Malvertising Hijacks Your Browser Start Page to Vietnamese Portal

A piece of malicious advertisement that leads to a Vietnamese website has been displayed for a couple of hours on all Yahoo Messenger windows in the world. It appears he Yahoo Messenger client has been instructed to display a banner linking to Vietnamese website for four hours.

It is not yet clear whether the banner has reached YIM customers following a legit advertising campaign that was modified by the advertiser later, or if it is an abusive attack that exploits a bug in the Yahoo Ad services. One thing is certain: users who followed the neatly crafted banner (a novel apparition for most YIM users that simply had to be checked out) were directed to, where they were prompted to install an exe file.

When run, the application looks for installed browsers, then hijacks the start page of each one to hxxp:// [handle with care]. This would be normal behavior for a browser add-on or toolbar, but there is more to the application than that: it adds itself to the Windows startup entries, so it can start at every system boot. When started, the application hijacks the browser start page over and over again.

If you have already installed the respective exe file, simply changing the browser’s start page won’t be enough. We offer a free removal tool that eliminates all traces of the hijacker and restores the browser start page to about:blank.

The removal tool can be downloaded for free from the Bitdefender Labs Downloads Area. Update: this removal tool supports both 32- and 64-bit operating systems.

Some information in the article provided by virus researcher Octavian Minea. Removal tool courtesy of malware researcher Gabriel Ciubotaru.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.


Click here to post a comment
    • until removal tool is ready
      go to
      download & execute: autoruns
      look after “” and disable it

      additionally you can add this line in hosts file

  • Greetings,

    The removal tool now supports both 32- and 64-bit operating systems. The download link is the same.

  • […] Earlier today, the Bitdefender automated scan systems alerted us to the fact that a malicious obfuscated script loaded by hxxp:// address redirects users towards a malicious page hosting the notorious BlackHole exploit. Apparently, the script has been loaded through third-party advertisement, a practice commonly known as malvertising. You probably remember the recent incident with Yahoo Messenger hijacking the browser start page to a Vietnamese Portal. […]