We recently received a tip from one of our own engineers involving a suspicious looking message that he received from a friend of his (who we’d prefer to keep anonymous) via his Yahoo Messenger.
The message was written in a foreign language, right now I’m really not sure what exactly but it looks vietnamese (I could be wrong though…).
The message reads as follows:
Nhung khi buon vui lang le, ngo nhu do la mot tieng vong ve tu noi nao do xa lam toi muon nghe bai hat do nhu mot chut la lung,nho nhung ban a. Ban cung nghe voi toi nhe!!!!!!!! http://{blocked}.us.tf
Upon initial inspection of the site http://{blocked}.us.tf, it appears to access several other sites, one of which downloads the file http://{blocked}.com/sinhviennl/tm.exe. Fortunately, the site appears to be offline now.
We’ve managed to grab a sample of the worm, as well as taken a couple of snapshots before this happened. Take a look:
This is the page that actually downloads the file tm.exe 
Here you can see that the file has already been downloaded and executed 
We’ve already submitted the file tm.exe to the service team and it will be detected as WORM_QUATIM.A. We’ll try to updated this article as soon as we stumble upon something new.
However for the time being let me remind users not to click on links they receive via yahoo messenger, or any instant messaging service for that matter, unless they’re 100% sure that it is safe (Which 95% of the time they’re not.) A lot of worms are spreading because users tend to be complacent especially since usually the messages come from an actual friend or a contact. Always try to verify if the message was indeed sent by your friend. If you receive no reply then it would safe to assume that the message was sent by a malware.
Thought for the Day:
An ounce of prevention is worth a pound of cure…
Update (Sheryll Tiauzon, Thu, 05 Oct 2006 03:23:48 AM)
The detection for WORM_QUATIM.A is now available for downloading using CPR 3.816.03