Skype Worm Variant Targets Other Instant Messaging Clients

| | Comments (0)

Background: In recent months, there have been a number of so-called "Skype Worms" that have been spread in a similar fashion as an Instant Messaging infection - user is sent malicious link, user clicks link and becomes infected assuming they run the executable file waiting for them. Here's one - here's another.

Yesterday, I discovered what appears to be a new collection of "Skype Worm" infection binaries in circulation - it uses the tried and tested methods employed by similar infections over the past few months, with the ultimate payload being the Stration Worm. Aside from that, there's another little surprise waiting but we'll get to that shortly...

skypew1.jpg

...the above is a .pif file, pretending to be "photos". Yes, there are many people who will fall for this. If you were sent there via a malicious link in your Skype client (from an infected friend, say) then decided to run the file you'll shortly have numerous files clogging up both your System32 and your Windows folders.

At this point, you may be notified by the Skype client that something is not quite right:

http://blog.spywareguide.com/upload/2007/05/skypew3-thumb.jpg
Click to Enlarge

Allow the file to "access Skype", and your contacts will see the below:

http://blog.spywareguide.com/upload/2007/05/skypew4-thumb.jpg
Click to Enlarge

...with the infection message leading to more rogue files. Remember the "little surprise" I mentioned earlier? Well, it looks like the makers of this bundle wanted to hedge their bets, so with that in mind, one of the files deposited onto the target PC checks to see if a number of different Instant Messaging programs are installed. After a little while testing some of the applications mentioned, we eventually saw the below pop up on a test machine, courtesy of one of the additional files downloaded to the PC:

icqspread.JPG

...and here it is sending an infection message via MSN Messenger:

msnspread.JPG

The infection checks the registry for evidence of programs like AIM, Trillian, Yahoo Messenger, Miranda and (of course) ICQ - however, so far we've only seen it fire a message to an ICQ and an MSN Messenger Client. The main target appears to be Skype with regards a delivery mechanism for the messages sent, but the potential for the infection to leap across various networks is obviously there. The domains the files are hosted on have been flagged for spam-related practices (Viagra pills, mostly) and the whole operation is very similar to previous outbreaks of these Skype worms. In all likelihood, it's the same people behind this wave of attacks, too.

As always, be careful what you click on...

Write up, Research: Chris Boyd, Director of Malware Research
Research: Ramesh Kumarasamy, Threat Research Engineer

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on May 23, 2007 1:10 PM.

The Pooo Hijack, and an Empty Sweetbox... was the previous entry in this blog.

Rogue Security Applications Being Pushed On Myspace is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.