• silicon.com
• Technology
• Security

By Joris Evers, 23 May 2006 08:25

NEWS

A new instant messaging worm installs a rogue web browser called "Safety Browser" and hijacks the user's Internet Explorer homepage, experts have warned.

The worm, dubbed "yhoo32.explr" by FaceTime Security Labs, was found two weeks ago on the Yahoo! instant messaging network and was still active as of Friday, Tyler Wells, senior director of research at FaceTime, a seller of IM security products, said in an interview.

The worm drops the "Safety Browser" on the target's machine. The rogue browser uses the same icon as Microsoft's IE web browser and, when opened, takes users to a site that installs spyware on the PC, FaceTime said. The company said in a statement: "This is the first recorded incidence of malware installing its own web browser on a PC."

The pest also sets the victim's IE homepage to Safety Browser's website and plays looped music that cannot be stopped, FaceTime said. Additionally, when installed the worm sends itself to all of the infected user's contacts, the security company said.

The new threat arrives as a link in a message box on the target's PC. The link may also say "Goat_Ensem Bot" with a smiley. After someone clicks the link, at least one warning will be displayed to tell the user that software is about to be downloaded or installed and that this may be malicious, Wells said.

Researchers at FaceTime discovered the pest after it hit on one of their test machines. These PCs are connected to instant messaging networks and typically logged in to chatrooms, which are often the starting point for new IM worms.

IM users can protect themselves against this and many other IM threats by not clicking unexpected or unsolicited links.

Joris Evers writes for CNET News.com