Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
Recent Posts
Monthly Blog Archives
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« BandJammer - Hacking A Myspace Music Profile Near You | Main | Microsoft Roundup »

  • Skype Worm Preys Upon Good Samaritans..

Today we came across a file that sends infection links via Skype, the latest in a long line of Stration / Warezov variants to do such a thing.

However, this one does a few things we've not seen before from this kind of file. Yes, it's a Stration variant and so will attempt to steal your Email as standard. What's unusual here is the amount of files it drops, and (more creepily) the message that gets sent. I'm not too sure how well news of the disappearance of Madeleine McCann has spread across the Atlantic, but here in Europe (and a few other places) the news continues to rage on with an endless stream of sightings and theories.

So as someone based in the UK, and confronted with the latest developments in this case every day via TV, radio and the Internet, the following random message with its very specific wording generated a really strange resonance for me:


To me, this is attempting to play into the heightened sense of "a stranger on every street corner" in a very deliberate fashion. Obviously it's not a direct reference to the McCann case, but the intention of playing upon the current media frenzy regarding the safety of children and / or females in general is clear. Of course, the file being pushed is an executable named "Photo" to further the social engineering bid:

Click to Enlarge

It's worth noting (aside from the rather distasteful spam message) that the payload is a lot bigger than what we've typically seen from these sort of installs in the past (there's a fair amount of CPU drain while the install takes place, too). Here's what you'll find in your System32 Folder:


And here's what you'll see in your Windows directory if you take a look around:


Some of the files dropped seem to be a little random - again, previous Skype hijacks of this nature that we've seen tend to install the same thing almost every single time.

Part of this infection searches all files with the following extensions looking for e-mail information to steal:
- .adb
- .asp
- .cfg
- .cgi
- .dbx
- .dhtm
- .eml
- .htm
- .html
- .jsp
- .mbx
- .mdx
- .mht
- .mmf
- .msg
- .nch
- .ods
- .oft
- .php
- .pl
- .sht
- .shtm
- .stm
- .tbb
- .txt
- .uin
- .wab
- .wsh
- .xls
- .xml

You might want to block all of the following (if you don't already have them on your ban list, that is):

If you're interested, you can see a little more on the Warezov gang URLs here at the F-Secure blog.

The obvious advice here is to try and resist any and all seemingly well intentioned messages sent out of the blue via Skype. We detect this as Is4GRL.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

  • TrackBack

TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.