A new worm has been discovered that targets Skype, the voice-over-IP (VoIP) telephone application. The worm uses the Skype Control API to send text chat messages containing a malicious link to other Skype users. We highlighted the possibility of the Skype API being used as infection vector for malicious code in a blog article in May of this year: http://www.symantec.com/enterprise/security_response/weblog/2006/05/vulnerabilities_of_the_skype_a.html
However, in this case the security measures implemented by Skype have not been bypassed programmatically. Instead, the worm pleads with the user via a pop-up message box to "Allow this program in skype."
On a live system, the user will receive this pop-up box from the worm, quickly followed by Skype's access control dialog:
The result of seeing these two dialogs in quick succession might confuse and trick the more “click-happy” novice user into allowing the worm to communicate with Skype, but it is doubtful that the more astute user will fall victim to this ploy. There are several different ways to programmatically bypass this access control dialog available, so it would appear likely that this sample is only a proof-of-concept and may be an indication of more advanced attacks to come.
In contrast to most threats, the worm (dubbed W32.Chatosky by Security Response in reference to the Skype chat function) does not make a copy of itself on the compromised computer, nor does it modify the registry so that it runs when the computer is restarted. However, it does demonstrate the ability to propagate on a new medium.
The worm searches the registry for the Skype application path and runs it. It also creates a hidden window to interact with Skype and queries it for random users every three minutes. Once the worm finds a random user, it sends a link to them and if the recipient clicks the link, the worm is downloaded.
Skype users should be aware of this new threat and should not click any suspicious links from other Skype users, even if the message is from a known contact. Currently, the link the worm sends is inaccessible, but that may change at any time. Detection for the worm is available, starting from Rapid Release virus definitions version 12/18/2006 (rev. 54).