Hot off the wires from Heise:
“look what crazy photo Tiffany sent to me, looks cool”: according to the vendor, users of the Skype VoIP package could receive messages like this, containing a link pointing to malware. If the user executes it, the worm deactivates selected anti-virus solutions, blocks their update servers by adding entries to the Hosts file, and installs a trojan that then proceeds to collect data on the machine. In addition it spreads by sending messages to the contacts in the Skype contacts list.
The worm can send messages in different languages. The link purportedly points to a picture. However, a user following the link is presented with a scr-file; this is an executable handled by Windows as a screensaver. Internet Explorer offers the user a choice of executing the file or saving it to disk. To hide its malicious code the worm displays a picture named Soap Bubbles.bmp, which is present in most Windows installations.
According to Skype the manufacturers of anti-virus programmes are starting to provide signatures to detect W32.Pykspa.D (Symantec), W32/Skipi.A (F-Secure) and w32/Ramex.A. In its security announcement, Skype also offers a method that experienced users can utilise to remove the worm manually. In its analysis, Symantec states that the worm has not spread very far yet.
Fun and games.
Tags: Skype Worm, Malware, Antivirus
