By Andrew Brandt & Grayson Milbourne
A novel worm we’re calling Worm-IM-Shorty appears to be winding its way through Facebook and some instant messaging services, with its come-on disguised as a link to a photograph hosted elsewhere. But when recipients click the link, they receive an executable Trojan instead, dressed up with the name and icon of a JPEG image.
If one double-clicks the file, the Trojan turns the computer into an advertising cash cow for some enterprising malware distributor. The Trojan modifies the active browser’s home page setting to a malicious page on domredi.com, which in turn redirects the browser, at random, to one of several domains hosted on a server in The Netherlands. Each page the browser loads is filled with ads, and when you load an ad-filled page, someone likely gets paid. Follow the money, and you’ll find the perps.