In association with heise online

11 September 2007, 14:50

Skype worm out and about

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

"look what crazy photo Tiffany sent to me, looks cool": according to the vendor, users of the Skype VoIP package could receive messages like this, containing a link pointing to malware. If the user executes it, the worm deactivates selected anti-virus solutions, blocks their update servers by adding entries to the Hosts file, and installs a trojan that then proceeds to collect data on the machine. In addition it spreads by sending messages to the contacts in the Skype contacts list.

The worm can send messages in different languages. The link purportedly points to a picture. However, a user following the link is presented with a scr-file; this is an executable handled by Windows as a screensaver. Internet Explorer offers the user a choice of executing the file or saving it to disk. To hide its malicious code the worm displays a picture named Soap Bubbles.bmp, which is present in most Windows installations.

According to Skype the manufacturers of anti-virus programmes are starting to provide signatures to detect W32.Pykspa.D (Symantec), W32/Skipi.A (F-Secure) and w32/Ramex.A. In its security announcement, Skype also offers a method that experienced users can utilise to remove the worm manually. In its analysis, Symantec states that the worm has not spread very far yet.

Users of instant messaging applications should be aware that following an unexpected link in a message - especially if stemming from an unknown sender - is just as dangerous as with links in emails. Further hints on guarding oneself against threats by malware can be found on the heise Security anti-virus pages.

Fortunately, w32/Ramex.A is not taking advantage of a problem Skype and other programs such as Firefox have handling special URIs. It can be used by attackers or malware to execute programs on affected computers with parameters without further user interaction after following a prepared link. Acting on information by heise Security, the developers of Skype have examined the problem and regard it as a fault within Windows. According to the company, the programmers may have found a simple solution for the fault, which they would incorporate into the next version of Skype if applicable.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit