Called Palevo by some, and Yimfoca by others, the malicious software is attacking users of Yahoo! Instant Messenger. It spreads itself by sending an instant message to a victim's contacts containing a link claiming to be a photograph. In reality, it points to a malicious executable.
BitDefender identified the executable containing a malicious payload as Worm.P2P.Palevo.DP. "Having an unprotected system infected with Palevo.DP is a synonym for mayhem," said the company in a statement. The worm creates several hidden files in the Windows folder and modifies registry keys to point toward those files, thereby bypassing the operating system's firewall.
"As with its siblings, Palevo.DP holds a backdoor component, which allows remote attackers to seize control over the compromised computer and do whatever they want with it – from installing additional malware and swiping files to launching spam campaigns and malware offensives on other systems."
According to Symantec, which identified the malware as W32.Yimfoca, it attempts to connect to a MySpace URL, indicating that organizers are possibly using the social networking site as a command-and-control channel. It stops processes running on the Windows host to disable the Microsoft Malware Protection Service and Windows Update, and then connects to another URL to download a configuration file. It uses port 2345 to connect to two other network addresses and wait for IRC commands, and finally spreads itself by sending messages that contain links to copies of the worm to all of the victim's instant messaging contacts.
The Palevo system has been spreading widely via the instant messaging infection vector, according to BitDefender, which says that it is also affecting users of peer-to-peer filesharing platforms. Ares, BearShare, Shareaza, iMesh, Kazaa, eMule and Limewire are being targeted by the worm, said the company, which reported that it is adding its code to their shared files. The spreading mechanism also infects network shares and removable USB storage devices, which are compromised via the autorun capability.
According to BitDefender, countries with the highest infection rates are Romania, Mongolia, Vietnam, Indonesia, Australia, Malaysia, Thailand, France, the UK, and Kuwait, in that order.