Skype Worm on the Loose Again
A new variant in the family of worms Symantec calls "Pykspa" - W32.Pykspa.D- is targeting Skype Instant Messenger. It spreads by using Skype'schat function, sending a message to contacts containing a link to whatappears to be a harmless .jpeg file, but if clicked on actuallydownloads and runs a copy of the worm on the user's computer. In anattempt to mask this innocuous activity the worm displays a legitimateWindows image (if it exists on the victim's machine), the bitmap fileSoap Bubbles.bmp, contained by default in the Windows installationdirectory. So if you saw the below image recently after clicking on alink contained in a Skype message from someone, chances are yourmachine is infected.
To make matters worse the worm attempts to shut down certain securitysoftware that may be running on the victim's machine, and also preventsthe downloading of updates by disabling access to security-related Websites via modifications to the hosts file.
The worm then accesses the list of Skype contacts and sends a chatmessage to each one. It checks the language settings of the Skypeclient and is capable of sending chat messages in different languages,including Latvian, Russian, and English. Messages observed to dateinclude the following:
:S
(devil)
(happy)
(mm) kaip as taves noriu
(rofl)
a ?
as net nezinau ka tavo vietoj daryciau.
cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D
cia tu isimetei ?
esi?
haha lol
hey
how are u ? :)
I used photoshop and edited it
kas cia tavim taip isderge ? =]]
labas
look
look what crazy photo Tiffany sent to me,looks cool
matai :D
now u populr
oh sry not for u
oops sorry please don't look there :S
ops
pala biski
patinka?
really funny
sky
this (happy) sexy one
u happy ?
vgeras ane ?
what ur friend name wich is in photo ?
where I put ur photo :D
you checked ?
your photos looks realy nice
zek kur tavo foto metos isdergta
ziurek kur tavo foto imeciau :D
More detailed information, including a list of these messages and listsof the affected security software and security-related Web sitesmentioned above are described in the W32.Pykspa.D writeup.
Skype have also listed some information on their blog.
About Security Response Blog
Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.
Filter by:
Recently on Twitter
- Strange Case of W32.Xpaj.B as Patient Zero http://t.co/8872Zu17 #virus24 May 2012
- A legitimate digitally signed file is misused in order to load #malware on to a computer: http://t.co/wZjNKKCh24 May 2012
- ZTE Score: Privilege of Escalation in a Nutshell http://t.co/Svj5T57F23 May 2012
- #Worm Posts on SNS Sites and Wipes out Rivals http://t.co/RWRIZdzU18 May 2012
- Beware #419 scams taking advantage of the #Facebook IPO: http://t.co/7TPOvR8w18 May 2012