May 1, 2009 By Andrew Brandt

Botnet malware targets MyYearbook

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

The team here at Webroot has picked up on a Trojan that appears to target a relatively new social networking site:

The site caters to the high-school-age crowd with activities that include various kinds of person-to-person challenges, streaming TV, and a kind of virtual matchmaker service for the tween-and-above set. We’re calling the malware that targets the site Trojan-Myblot.

We received our copy via a malicious BitTorrent download, which purportedly distributed a Windows utility. Instead, we received a file that downloaded several payloads, eventually landing our infected system firmly in the clutches of Myblot.

So what does it do? The trojan, unusual in that it requires the .Net Framework to run and was written in Microsoft’s Visual C#, runs silently in the background. While it’s running, it sends back information about the locally installed bot’s identity, whether the user of the infected system uses Gmail, and whether the infected system has received an updated bot client. It does these update checks about every 15 to 45 seconds.

Myblot reconnaisance data

Myblot reconnaisance data

Myblot phones home several times a minute

Myblot phones home several times a minute

One of MyYearbook’s activities is just called “Battles” — it’s basically a way for people to post photos of themselves, or others, and earn some sort of online cred for being voted “Scariest rollercoaster face” or “Most emo.” As if. The malware spawns popup ads that look like a Battles “IQ challenge” invitation from a teenage girl who needs to put some more clothes on. When clicked, the browser redirects the user through an ad Web site called

The fake MyYearbook Battles window

The fake MyYearbook Battles window

There is some good news for victims. First, the infection is easily removed, whether you sweep with Webroot Spy Sweeper or delete the file manually. The malware is also pretty badly coded, so unless all the required pieces are in exactly the right location, the Trojan fails to execute, or just throws a .Net error message and quits. Clearing your Temp folder is another way to get rid of it.

Unfortunately, there’s also bad news for users of infected machines: The server that hosts the fake Battles ad also has a tendency to redirect the browser elsewhere. In particular, the browser on my test system was pushed through two separate Web sites that used browser exploits and obfuscated Javascript code to eventually infect the system with another obnoxious piece of malware, Trojan-Relayer-Jolleee.

Jolleee quietly sends spam from infected machines to unsuspecting users, getting lists of victims and the message text from servers it contacts. So while it looks like we can easily stamp out Myblot, it doesn’t want to go out quietly, without putting up a fight.

Share Button

3 Responses to Botnet malware targets MyYearbook

  1. My daughter got a popup “anti-virus” virus, that proceeded to throw up 6 different dire warnings about the system being infected, with the classic cutesy, “delete virus now, or stay infected?” invite. It masqueraded as MS, McAfee, Norton, several others.

    This was pretty pervasive, because it won’t allow you to open any files, and then eventually blocks mouse controls to prevent any clicking of any kind. I’m sure next it would promise to fix everything for only $49.95.

    To get it out, I first had to boot from a BART system disk and pull the infected files. This won’t stop it, though. It came back. So I repeated that, and it gives you just enough time to load a Windows antivirus disk, boot up and activate. That restores to pre-infection state.

    This happened again three days later, which leads me to believe the nice people at emailaddressprotectiondotcom who own myyearbook are well aware of this, and complicit in the idea, and possibly even getting kickbacks.

    My daughter decided to stay off the site in future, even with max adware and popup blockers.

    tags: malware fake virus warning removal

    • My YEARBOOK is the worst hacking infested site I have ever seen. And I am sure those that work for the site are well aware of all the pop-up adware programs constantly bombarding the site. I have noticed what appears to be alias ids throughout the network just sitting in chatter locations.. they sem to be workers for the sight masking around as male when in fact they are female and vice versa causing havoc with whatever user they feel they have rights to harass. I have noticed this many many times on there. I myself have even had my account tampered with by an id that I thought seemed suspicious and after deleting this id found my layout changed, their stickers deleted from my profile as well as messages deleted. I think either YB permits these antics or the site is a hacker haven. disappointing to say the least.

Leave a Reply

Your email address will not be published. Required fields are marked *