Endpoint Protection

 View Only
  • 1.  Virus distributed via Skype messages, using goo.gl urls

    Posted May 20, 2013 02:21 PM

    Hi,

    Anyone is seen this too? I got many users reporting messages from skype that have a goo.gl shortening URL. When you click on them, a .zip is downloading, then inside the .zip is a .exe file.

    Here are the URL, don't click on them!

    Is this a skype issue? Changing the users skype password does not help either.



    esta es una foto muy amable de tu parte http://goo.gl/lLGdM?foto=user
    
    esta es una foto muy amable de tu parte http://goo.gl/WKyb5?profil=user :)
    
    esta es una foto muy amable de tu parte http://goo.gl/WKyb5?profil=user :$

     

    I have submited the downloaded files to symantec.

     

    Many thanks

    Oliver



  • 2.  RE: Virus distributed via Skype messages, using goo.gl urls
    Best Answer

    Posted May 21, 2013 12:27 PM

    yes, this is spam coming from malicious Skype users so you can't really stop that.

    But SEP doesn't appear to be detecting the executable so submitting it was the right thing to do.

    You should consider blocking the URLs or at least very least warning the user(s) about what is going on.

    BTW, the links to the exe's appear to have been taken down from the 4shared site they were hosted on.



  • 3.  RE: Virus distributed via Skype messages, using goo.gl urls



  • 4.  RE: Virus distributed via Skype messages, using goo.gl urls

    Posted May 22, 2013 10:51 AM

    Thanks, it was endeed a virus. My main question was: is there a current vulnerability in skype? It seems that the messages has been sent via skype servers, without the password of the user.

    This is the virus in question, Symantec does detect it but it can not terminate the ser process nor delete the entry in the registry (Run).

    https://www.virustotal.com/es/file/43bdb0fa301d758c0b72b69258fc09a1d9cec57c6dcd032bea915705de0e13d3/analysis/



  • 5.  RE: Virus distributed via Skype messages, using goo.gl urls

    Posted May 22, 2013 10:55 AM

    If there is, Skype would need to address it. It's more likely just a spoofed message made to look like it came from Skype. It's commonplace nowadays to do this.



  • 6.  RE: Virus distributed via Skype messages, using goo.gl urls

    Posted May 22, 2013 11:44 AM

    I'm telling you is a big issue. You have a chat history in skype with user johndoe1, you see in the chat history messages from yesterday, then you see a new message from today, you reply and the messages goes to the user.

    It really is a message sent from skype, from the "infected" user. Is not spoof or phishing email or something like that.



  • 7.  RE: Virus distributed via Skype messages, using goo.gl urls

    Posted May 22, 2013 11:49 AM
    It is an issue skype would need to handle


  • 8.  RE: Virus distributed via Skype messages, using goo.gl urls

    Posted May 22, 2013 12:05 PM

    My theory is that the computer or android phone, where skype runs, is infected, and the virus uses the skype application to create and sent a legitimate encrypted skype chat message.



  • 9.  RE: Virus distributed via Skype messages, using goo.gl urls

    Posted May 29, 2013 09:14 PM

    Oliver

    You should review also the following Blog that has updated information

    Downloader.Liftoh Cousin to W32.Phopifas?

     

    Regards

     

    Rodrigo