Background: In recent months, there have been a number of so-called "Skype Worms" that have been spread in a similar fashion as an Instant Messaging infection - user is sent malicious link, user clicks link and becomes infected assuming they run the executable file waiting for them. Here's one - here's another.

Yesterday, I discovered what appears to be a new collection of "Skype Worm" infection binaries in circulation - it uses the tried and tested methods employed by similar infections over the past few months, with the ultimate payload being the Stration Worm. Aside from that, there's another little surprise waiting but we'll get to that shortly...

...the above is a .pif file, pretending to be "photos". Yes, there are many people who will fall for this. If you were sent there via a malicious link in your Skype client (from an infected friend, say) then decided to run the file you'll shortly have numerous files clogging up both your System32 and your Windows folders.

At this point, you may be notified by the Skype client that something is not quite right:

Allow the file to "access Skype", and your contacts will see the below:

...with the infection message leading to more rogue files. Remember the "little surprise" I mentioned earlier? Well, it looks like the makers of this bundle wanted to hedge their bets, so with that in mind, one of the files deposited onto the target PC checks to see if a number of different Instant Messaging programs are installed. After a little while testing some of the applications mentioned, we eventually saw the below pop up on a test machine, courtesy of one of the additional files downloaded to the PC:

...and here it is sending an infection message via MSN Messenger:

The infection checks the registry for evidence of programs like AIM, Trillian, Yahoo Messenger, Miranda and (of course) ICQ - however, so far we've only seen it fire a message to an ICQ and an MSN Messenger Client. The main target appears to be Skype with regards a delivery mechanism for the messages sent, but the potential for the infection to leap across various networks is obviously there. The domains the files are hosted on have been flagged for spam-related practices (Viagra pills, mostly) and the whole operation is very similar to previous outbreaks of these Skype worms. In all likelihood, it's the same people behind this wave of attacks, too.

As always, be careful what you click on...

Write up, Research: Chris Boyd, Director of Malware Research
Research: Ramesh Kumarasamy, Threat Research Engineer