Skype worm spreading fast

Ransom by redtype

Ransom by redtype


 
It’s Monday morning and the bleary-eyed start of a new week. Criminals are taking advantage of our post-weekend lassitude by starting a Skype based campaign aimed at spreading malicious software.
 
Many users have reported receiving messages from friends in their Skype contact lists. So far, socially-engineered messages have been seen in both English and (Bavarian accented (seems my German accent recognition is way off “Moin” is north German, thanks guys )) German, saying either:
 

“lol is this your new profile pic? h__p://goo.gl/{BLOCKED}5q1sx?img=username”

 
or
 

“moin, kaum zu glauben was für schöne fotos von dir auf deinem profil h__p://goo.gl/{BLOCKED}5q1sx?img=username”

 

Regardless of the language used, the link is the same, although of course this can easily be modified. The shortened URL eventually redirects to a download on hotfile.com which pulls down an archive named “Skype_todaysdate.zip” containing a single executable file of the same name. We detect this initial downloader as TROJ_DLOADER.IF
 
The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF or WORM_DORKBOT.DN respectively. On installation, this worm may initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet.
 
These Dorkbot variants will also steal user name and password credentials for a vast array of websites including Facebook, Twitter, Google, PayPal, NetFlix and many others. They can interfere in DNS resolution, insert iFrames into web pages, perform three different kinds of DDoS attack, act as a Proxy server and download and install further malware at the botmaster’s initiation. These are only some of the functionality of this pernicious worm, in the 24 hours since discovery, Trend Micro have blocked more than 2800 associated files.
 
Some infections will subsequently install a ransomware variant locking the user out of their machine, informing them that their files have been encrypted and that they will be subsequently deleted unless the unfortunate victim surrenders a $200 fine within 48 hours.

 

This malware is still under investigation and TrendLabs have posted initial findings here. Until then, please remember not to click on unexpected links, no matter how bleary-eyed you may be.

 

61 thoughts on “Skype worm spreading fast

  1. Pingback: Skype malware steals more than your money: User accounts from Facebook, Twitter, PayPal, and more | Digital Gadget dan Selular

  2. Pingback: Se você usa Skype fique atento! | Ludgero Souza

  3. Pingback: Skype malware steals more than your money: User accounts from Facebook, Twitter, PayPal, and more | t1u

  4. Pingback: Skype users stalked by ransom trojan | AIVAnet

  5. Pingback: Skype kullanıcılarını zararlı yazılım saldırısına karşı uyardı « Carsi Pazar

  6. Pingback: Skype est utilisé comme passerelle par les hackers pour infecter les PC | Webzine d'informations insolites

  7. Pingback: hey è la tua immagine del profilo nuovo? No, è un virus che arriva via Skype | Blog di Antonio Trogu

  8. Pingback: Skype-Based campaign taking place recently gains a high success rate | Cyvera

  9. Fernando Madruga

    What evidence is there that this particular infection *does* include ransomware? Or is it something that the attackers may push onto affected victims computers?

    Reply
  10. Pingback: Skype malware that can hold computers hostage is spreading fast | Stop Spam Tips

  11. Pingback: Sécurité : Skype ciblé par un malware | Double – J Technologies

  12. Pingback: Worm kidnapper threatens Skype users | Tech News Pedia

  13. Pingback: Skype Messages Spreading DORKBOT Variants | Virus / malware / hacking / security news

  14. Pingback: Beware Skype Users: Your Computer Could Be Highjacked | What do you want to rank for?

  15. Pingback: Skype: Gusano / Troyano – Dorkbot | Undermix

  16. Pingback: Gusano secuestrador amenaza a usuarios de Skype - eju.tv

  17. Pingback: Gusano secuestrador amenaza a usuarios de Skype | zonadeep.net

  18. Pingback: Un malware cible les utilisateurs de Skype | Slyte

  19. Pingback: Vírus ‘sequestrador de dados’ está se espalhando pelo Skype

  20. Pingback: Vírus ‘sequestrador de dados’ está se espalhando pelo Skype | Tiworld Soluções

  21. Pingback: Skype Warning – Watch for Weird Links - Online File Storage

  22. Pingback: Vírus 'sequestrador de dados' no Skype | GeekJets!

  23. Pingback: Skype kullanıcılarını zararlı yazılım saldırısına karşı uyardı

  24. Pingback: New Skype Worm Installs Ransomware, Spreads Botnet Links | The Tech Journal

  25. Pingback: Skype Virus Removal | Instructions InsideJoffcom

  26. Pingback: Dorkbot worm spreads across Skype, takes files hostage - Techindustriya.com

  27. Pingback: Skype Worm Spreads Ransomware, Botnet Links - Fundamental Technology Partners Inc.

    1. Rik Ferguson Post author

      Hi Nicole, thanks for reading. I have not yet seen any MacOS Dorkbot variants, however, not clicking on unexpected links is still good advice regardless, there is plenty of other Mac malware out there.

      Reply
  28. Pingback: Skype Worm Spreads Ransomware, Botnet Links | Technology News Hub

  29. Pingback: Skype Ransomware Worm Spreading Fast, Says Trend Micro | Free Best Trends

  30. Pingback: Skype users warned not to click on unexpected links as 'ransomware' worm spreads | Digital Trends

  31. Pingback: Software malicioso que “secuestra” tus archivos circula por Skype | CoCoLink

  32. Pingback: Skype,accounts,Facebook - inspirr.com

  33. Pingback: Software malicioso que “secuestra” tus archivos circula por Skype | SONSEMAR NOTICIAS

  34. Pingback: Warning: Skype users attacked by ‘lol is this your new profile pic?’ ransomware and click fraud | Appcuarium

  35. Pingback: Software malicioso que “secuestra” tus archivos circula por Skype

  36. Pingback: “Ransomware” Worm Now Spreading On Skype [Update: Skype Advises Users Upgrade Their Software] | Blog Feeds

  37. Pingback: Vírus ‘sequestrador de dados’ está se espalhando pelo Skype | TechByte Solution

  38. Pingback: Software malicioso que “secuestra” tus archivos circula por Skype « BlackBerry Warez | Blog

  39. Pingback: Vírus ‘sequestrador de dados’ está se espalhando pelo Skype | PtCom

  40. Pingback: Software malicioso que “secuestra” tus archivos circula por Skype

  41. Pingback: Skype-worm verspreidt zich in rap tempo

  42. Pingback: http://techcrunch.com/2012/10/08/ransomware-worm-now-spreading-on-skype/TekDefender

  43. Pingback: “Ransomware” Worm Now Spreading On Skype » Tech Blog

  44. Pingback: “Ransomware” Worm Now Spreading On Skype | Appcuarium

  45. Marcus

    Bavarian German? Where?

    ‘Moin’ is a German term used in northern Germany and roughly translates into “I wish you luck”

    Reply
  46. Tony Larks / Trend Micro

    What made this attack more interesting is that this morning, my Google+ account announced that it had uploaded all of my photos from my Android phone to my G+ account automatically. Immediately I was worried what I’d shared, and when I logged on this morning, the first Skype I received was in German and after I’d translated it, told me that they could see my photos. I help off the temptation to click whilst I found that my photos were on available to me.

    Monday morning panic over.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*