Weekly Malware Review - Trojan.Agent.Delf.RHO Owns Your Yahoo Messenger Account

Today's example details on an extremely dangerous Trojan with Worm capabilities that mostly affects Romanian YIM! users.

Called Trojan.Agent.Delf.RHO, this piece of malware spreads via links sent as instant messages on Yahoo! Messenger on the behalf of other infected users. In order to trick the user into accessing the malicious links, the Trojan places them in a valid context. For instance, some messages warn the victim that he / she is infected and should immediately download a cleaning utility via the provided link, while others advertise an invisible / ignore contact scanner. Trojan.Agent.Delf.RHO seems to have its roots in Romania, since the messages it sends are written in Romanian.

The link takes the user to a web site or blog containing an embedded movie that requests the user to download a codec, which turns to be the Trojan itself. Upon execution, the setup file installs the following files:  %WINDIR%\system32\yahooui.exe, %WINDIR%\system32\yahooauth2.dll,  %WINDIR%\system32\ssleay32.dll, and  %WINDIR%\system32\libeay32.dll.

The Trojan would wait for the user to sign into their account and then would start sending spam messages to the contacts in the user's list.

Trojan.Agent.Delf.RHO is more than meets the eye: apart from being annoying, it also invites other friends to its party, such as the extremely dangerous Trojan.Spy.Banker.ACFQ, which tries to trick the user into accessing phishing sites targeting e-banking services.

In order to avoid infections, we recommend that you install and regularly update a complete antimalware suite with antivirus, antispam, antiphishing and firewall modules.

Information in this article is available courtesy of BitDefender virus researcher Mihai-Andrei Livadariu.