Security researchers are warning of an instant messenger worm that installs a maliciously constructed browser onto compromised Windows PCs. The self-propagating worm, dubbed yhoo32-explr, installs a so-called "Safety Browser". Users who install the software are directed to a site that loads spyware onto their PCs.

Yhoo32-explr spreads by sending links to a site that installs the Safety Browser to all an infected surfers' Yahoo! Messenger contacts. Safety Browser uses the IE icon in a bid to dupe unsuspecting users.

Once installed, Safety Browser hijacks the personal homepage in Internet Explorer and directs it towards the Safety Browser homepage (actually a site loaded with spyware). It also plays looped music that can't be stopped.

Safety Browser itself can't be simply uninstalled. Compromised PCs will need a good hosing down. IM security firm FaceTime describes the malware as the first instance of malicious code installing a web browser onto infected PCs.

"This is one of oddest and more insidious pieces of malware we have encountered in years," FaceTime Security Labs senior director of research Tyler Wells said.

"This is the first instance of a complete web browser hijack without the user's awareness. Similar 'rogue' browsers, such as 'Yapbrowser', have demonstrated the potential for serious damage by directing end-users to potentially illegal or illicit material. 'Rogue' browsers seem to be the hot new thing among hackers." ®

Related stories

Buggy ActiveX controls menace Yahoo! Messenger (7 June 2007)
http://www.theregister.co.uk/2007/06/07/yahoo_activex_bug/
Skype worm leaps onto MSN (24 May 2007)
http://www.theregister.co.uk/2007/05/24/skype_msn_worm/
Warezov worm fiends target Skype (28 February 2007)
http://www.theregister.co.uk/2007/02/28/warezov_skype_im_worm/
Yahoo! Messenger! in! security! flap! (18 December 2006)
http://www.theregister.co.uk/2006/12/18/yahoo_messenger_security_flap/
Botnet creators AIM high (21 September 2006)
http://www.theregister.co.uk/2006/09/21/pipeline_worm/
Worm feasts on latest Windows vuln (14 August 2006)
http://www.theregister.co.uk/2006/08/14/cuebot_worm_targets_ms_vuln/
Yahoo!, Microsoft launch new messenger services (20 June 2006)
http://www.theregister.co.uk/2006/06/20/yahoo_ms_messenger/
Spyware dominates malware production efforts (12 June 2006)
http://www.theregister.co.uk/2006/06/12/malware_trends_aladdin/
Top of the sops (8 June 2006)
http://www.theregister.co.uk/2006/06/08/spyware_chart_may/
Hackers control bot client over P2P (2 May 2006)
http://www.theregister.co.uk/2006/05/02/nugache_worm/
Hackers download pirate movies onto compromised PCs (21 December 2005)
http://www.channelregister.co.uk/2005/12/21/bittorrent_botnet_attack/
SDBot raises IM security concerns (2 November 2005)
http://www.theregister.co.uk/2005/11/02/im_security_concerns/
AOL IM worm roots around Windows PCs (31 October 2005)
http://www.theregister.co.uk/2005/10/31/aol_im_rootkit_worm/
IM worm hits Reuters (15 April 2005)
http://www.theregister.co.uk/2005/04/15/im_worm_runs_amok/