Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New IM Trojan Spreading Via Yahoo Messenger and Facebook

Security researchers from Bitdefender have warned that a new instant messaging Trojan has infected hundreds of computers all over the world.

Security researchers from Bitdefender have warned that a new instant messaging Trojan has infected hundreds of computers all over the world.

Identified as Gen:Variant.Downloader.167 by Bitdefender, the malware distributes itself through Facebook’s instant messaging feature and Yahoo Messenger.

Experts say the Trojan relies on “polite” messages, which it sends from infected computers to users from the victim’s contact list. The malicious messages read something like this: “I want to post these pictures on Facebook, do you think it’s OK?”

The messages are accompanied by links to popular file sharing services like Fileswap and Dropbox where the threat is hosted. Bitdefender experts have told SecurityWeek that the malicious file is first executed without parameters. The malware then creates a folder with a random name in Application Data and it copies itself to this folder with a random name and an “.exe” extension.

Then, it creates a registry entry in “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the name Counter Background WWAN Thread Mapper User NetBIOS. Once all this is done, the victim is presented with the following error message in an effort to avoid raising any suspicion: “This application is not compatible with the version of Windows you’re running. Check your computer’s system information to see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.”

Gen:Variant.Downloader.167 Screenshot

Another executable file with a random name is created in the same folder in Application Data. This file is executed with two parameters: WATCHDOGPROC, and the path to the first executable file.

Finally, a configuration file is created in the same folder, and the malware connects to a command and control server.

According to Bitdefender, Cybercriminals can command the Trojan to download other pieces of malware and eventually harvest confidential data, such as usernames, passwords and even banking credentials.

“The Trojan hides some of its encrypted data between biblical verses. The data is eventually decrypted with numbers generated by a mathematical processor,” Bitdefender Security Specialist Bianca Stanescu told SecurityWeek.

The largest number of infections have been spotted in Romania, Germany and Canada. However, infected computers are also located in the United States, the United Kingdom, France and Denmark.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...