Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
Recent Posts
Monthly Blog Archives
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« The Pooo Hijack, and an Empty Sweetbox... | Main | Rogue Security Applications Being Pushed On Myspace »

  • Skype Worm Variant Targets Other Instant Messaging Clients

Background: In recent months, there have been a number of so-called "Skype Worms" that have been spread in a similar fashion as an Instant Messaging infection - user is sent malicious link, user clicks link and becomes infected assuming they run the executable file waiting for them. Here's one - here's another.

Yesterday, I discovered what appears to be a new collection of "Skype Worm" infection binaries in circulation - it uses the tried and tested methods employed by similar infections over the past few months, with the ultimate payload being the Stration Worm. Aside from that, there's another little surprise waiting but we'll get to that shortly...


...the above is a .pif file, pretending to be "photos". Yes, there are many people who will fall for this. If you were sent there via a malicious link in your Skype client (from an infected friend, say) then decided to run the file you'll shortly have numerous files clogging up both your System32 and your Windows folders.

At this point, you may be notified by the Skype client that something is not quite right:

Click to Enlarge

Allow the file to "access Skype", and your contacts will see the below:

Click to Enlarge

...with the infection message leading to more rogue files. Remember the "little surprise" I mentioned earlier? Well, it looks like the makers of this bundle wanted to hedge their bets, so with that in mind, one of the files deposited onto the target PC checks to see if a number of different Instant Messaging programs are installed. After a little while testing some of the applications mentioned, we eventually saw the below pop up on a test machine, courtesy of one of the additional files downloaded to the PC:


...and here it is sending an infection message via MSN Messenger:


The infection checks the registry for evidence of programs like AIM, Trillian, Yahoo Messenger, Miranda and (of course) ICQ - however, so far we've only seen it fire a message to an ICQ and an MSN Messenger Client. The main target appears to be Skype with regards a delivery mechanism for the messages sent, but the potential for the infection to leap across various networks is obviously there. The domains the files are hosted on have been flagged for spam-related practices (Viagra pills, mostly) and the whole operation is very similar to previous outbreaks of these Skype worms. In all likelihood, it's the same people behind this wave of attacks, too.

As always, be careful what you click on...

Write up, Research: Chris Boyd, Director of Malware Research
Research: Ramesh Kumarasamy, Threat Research Engineer

  • TrackBack

TrackBack URL for this entry:

Listed below are links to weblogs that reference Skype Worm Variant Targets Other Instant Messaging Clients:

» car insurance baltimore from car insurance baltimore
grounders griever.awarders Maude leeway enclose! [Read More]

» wellbutrin smoking cessation from Wellbutrin smoking cessation
Wellbutrin 100mg as low as 29 [Read More]

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.