How to Remove IM WormThere’s a new IM Worm spreading on Yahoo Messenger. The good news is that the file is an executable which requires a user to run it for it to become active. Unfortunately, users will more than likely run the .exe file as they may think it is safe because it came from a friend.

A smiley-faced instant message with a photo link posing as if it’s from someone on your buddy list is actually spreading misery worldwide in the form of a worm on Yahoo Instant Messenger: The IM ultimately delivers a worm that allows an attacker to take over the victim’s machine, not to mention spread itself among the victim’s contact list.

Updated: May 3, 2010 1:15:15 AM
Type: Worm
Infection Length: Varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Description: W32.Yimfoca is a worm that spreads by sending links through Yahoo! Messenger.

Researchers at BitDefender, BKIS, and Symantec today each separately warned Yahoo Messenger users about the worm attack, which is rapidly growing. Catalin Coisoi, senior malware and virus researcher for BitDefender, based in Romania, says his team has seen infection rates as high as 500 percent per hour in his home country since they first spotted it last week. “Today it started spreading like wildfire,” Coisoi says.

The worm — known as Palevo by BitDefender, W32.Ymfocard.fam.Botnet by BKIS, and W32.Yimfoca by Symantec — is a new variant of an existing worm. In the Yahoo IM attack, it tricks the user into saving what appears to be a JPG or GIF file, but instead is a malicious executable.

BitDefender says the worm contains a backdoor, which lets an attacker take over the victim’s compromised machine, to install more malware, steal files, intercept passwords, and launch spam or other malware attacks on other systems.

“You can do anything you want with a backdoor — keylogging to search for passwords, or it could be a botnet,” Coisoi says. “It offers the attacker full system access.”

How to remove the IM (Yimfoca) Worm:

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan.
  4. Delete any values added to the registry.

For specific details on each of these steps, read the following instructions here.