Possible Yahoo Messenger security issues

[Eddie Chandler <echandler () taos com>]

Dear all,
I believe I have found a security issue to do with
Yahoo Messenger, specifically one of the programs
that comes with it - YSERVER.EXE

> From a pc running Windows98, dialed into an ISP 
with PPP - no firewall - I noticed a slowdown on the 
machine.    The task list revealed YSEVER.EXE, a 
program I had no knowledge of and had not invoked 
myself. A file-search of yser*.* returned 
YSERVER.EXE in the directory that Yahoo 
Messenger had been installed into and a log file,
YSERVER.LOG

I terminated the program, dropped the connection and
looked at the log file.   Within it were multiple ip
addresses from which "GET...  cmd.exe" commands,
as per Nimda/CodeRed, were coming from.  This led
me to believe that YSERVER.EXE may be advertising
itself as a webserver.

To verify that the ip addresses were infected, after
renaming the executable I went to the homepage of 
one of them and received a download message of 
a .EML file coupled with a warning from Norton Anti-
Virus that the file being offered was infected with with 
Nimda.

I decided to search the web for information about 
YSERVER.EXE and found only one pertinent piece of 
information in
http://pluglist.mybutt.net/pipermail/plug-security/2001-
November/000106.html  posted by Craig Carey.

Thus far I have found an extreme lack of information 
on the web, including on Yahoos site itself, about this 
executable and how it is called/why it advertises itself 
without the user being aware.

Given the above occurrence I find myself wondering,
especially after the AIM hole exposure, what the 
ramifications are for Yahoo Messenger?    Obviously, 
with the YSERVER advertising itself it is making a a 
user a target for not only probes but also DOS 
attacks but, does it go further than that?   Can 
YSERVER be buffer-overflowed and the machine 
exploited/wiped/have malicious code installed to 
partake in a DDOS?

Unfortunately program analysis is not my field and I 
have no knowledge of using debuggers or how to 
apply methodologies to try to reproduce the 
invocation of programs like this so I am posting here, 
having been advised to by Elias Levy, for those of you 
with the expertise to analyse my findings and see if 
this is actually as issue.


System on which behaviour happened:  Pentium 233, 
80MB RAM, Windows 98, IE5.5SP2 (OS & IE fully 
patched)
Connected to internet via PPP
Programs being run at time of discovery:  ZMUD, 
Yahoo Messenger, Eudora, TheCleaner, NukeNabber
(YSERVER found to be running but not invoked by 
user action)
Version of Yahoo Messenger: 4,1,0,998
Date of occurrence: Dec 24th, 2001
(Yahoo notified via Customer feedback on website 
that evening)

Note: YSERVER.EXE also found in current build 
5,0,0,1052


thank you for your time,
Eddie Chandler
Sys-Admin
NT4 MCSE, Win2K Pro MCP
www.taos.com