IM worm installs 'safe' Web browser

New worm installs a rogue Web browser and hijacks the Internet Explorer home page on infected PCs.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
A new instant messaging worm installs a rogue Web browser called "Safety Browser" and hijacks the user's Internet Explorer home page, experts have warned.

The worm, dubbed "yhoo32.explr" by FaceTime Security Labs, was found two weeks ago on the Yahoo instant messaging network and was still active as of Friday, Tyler Wells, senior director of research at FaceTime, a seller of instant messaging security products, said in an interview.

The worm drops the "Safety Browser" on the target's machine. The rogue browser uses the same icon as Microsoft's IE Web browser and, when opened, takes users to a site that installs spyware on the PC, FaceTime said. "This is the first recorded incidence of malware installing its own Web browser on a PC," the company said in a statement.

The pest also sets the victim's IE home page to Safety Browser's Web site and plays looped music that cannot be stopped, FaceTime said. Additionally, when installed the worm sends itself to all of the infected user's contacts, the security company said.

The new threat arrives as a link in a message box on the target's PC. The link may also say "Goat_Ensem Bot" with a smiley. After someone clicks the link, at least one warning will be displayed to tell the user that software is about to be downloaded or installed and that this may be malicious, Wells said.

Researchers at Foster City, Calif.-based FaceTime discovered the pest after it hit on one of their test machines. These PCs are connected to instant messaging networks and typically logged in to chat rooms, which often are the starting point for new IM worms.

IM users can protect themselves against this and many other IM threats by not clicking unexpected or unsolicited links.