Skype worm spreading fast

Ransom by redtype

Ransom by redtype


 
It’s Monday morning and the bleary-eyed start of a new week. Criminals are taking advantage of our post-weekend lassitude by starting a Skype based campaign aimed at spreading malicious software.
 
Many users have reported receiving messages from friends in their Skype contact lists. So far, socially-engineered messages have been seen in both English and (Bavarian accented (seems my German accent recognition is way off “Moin” is north German, thanks guys )) German, saying either:
 

“lol is this your new profile pic? h__p://goo.gl/{BLOCKED}5q1sx?img=username”

 
or
 

“moin, kaum zu glauben was für schöne fotos von dir auf deinem profil h__p://goo.gl/{BLOCKED}5q1sx?img=username”

 

Regardless of the language used, the link is the same, although of course this can easily be modified. The shortened URL eventually redirects to a download on hotfile.com which pulls down an archive named “Skype_todaysdate.zip” containing a single executable file of the same name. We detect this initial downloader as TROJ_DLOADER.IF
 
The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF or WORM_DORKBOT.DN respectively. On installation, this worm may initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet.
 
These Dorkbot variants will also steal user name and password credentials for a vast array of websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. They can interfere in DNS resolution, insert iFrames into web pages, perform three different kinds of DDoS attack, act as a Proxy server and download and install further malware at the botmaster’s initiation. These are only some of the functionality of this pernicious worm, in the 24 hours since discovery, Trend Micro have blocked more than 2800 associated files.
 
Some infections will subsequently install a ransomware variant locking the user out of their machine, informing them that their files have been encrypted and that they will be subsequently deleted unless the unfortunate victim surrenders a $200 fine within 48 hours.

 

This malware is still under investigation and TrendLabs have posted initial findings here. Until then, please remember not to click on unexpected links, no matter how bleary-eyed you may be.

 

61 thoughts on “Skype worm spreading fast

  1. Pingback: Skype kullanıcılarını zararlı yazılım saldırısına karşı uyardı | Ayhan KAYAOĞLU

  2. Pingback: Skype kullanıcılarını zararlı yazılım saldırısına karşı uyardı - İnternet Delisi

  3. Pingback: Don’t Let BYOD become BYOV (Bring your own viruses) | Technology Consumerization

  4. Pingback: Skype Messages Spreading DORKBOT Variants | Simply Security

  5. Pingback: Skype Worm Spreads Ransomware, Botnet Links | TechContentWatch

  6. Pingback: Malicious worm exploits Skype API to target Windows users | Simply … | The Communication Company

  7. Pingback: Malicious worm exploits Skype API to target Windows users | Simply Security

  8. Mariekwa

    RIk,
    Is there a tool available to decrpyt the machine encrypted by the ransomware.
    I know there is a tool created by Trendmicro that decrpyts an office docs encrypted by ransomware

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>