<<<
Monday, April 16, 2007
>>>
 
Another Skype Worm Posted by Francis @ 03:16 GMT

Yup! There is another Skype worm on the loose and our detection for it is IM-Worm:W32/Pykse.A. It spreads by sending a message with a malware link to all online friends in Skype's contact list using the Skype API.

The message is randomly chosen from the following list:

Skype message

Before sending the message, it will set the infected Skype user's status to DND (Do Not Disturb). As a side effect, it will not actively notify the user of calls or messages as shown in the warning message below:

Skype away

Once the link is clicked, it will redirect and download the malware file:

Skype download

Once you have downloaded and executed the file from the link, it will show you a picture of a lightly dressed woman, to avoid suspicion:

Skype girl

So what's the motive behind this worm?

It seems that it is promoting the following websites:

   http://aras.lookingat.us/index.htm
   http://asilas.my-php.net/index.html
   http://bobodada.3-hosting.net/index.html
   http://bobos45.bebto.com/index.html
   http://gogo442.hatesit.com/index.html
   http://jackdaniels.110mb.com/index.html
   http://timboss.1majorhost.com/index.html
   http://zozole.php0h.com/index.html

These websites all look the same. Here's a sample screenshot:

Skype link

The following site is also visited:

   http://aras.allfreehost.net/cal[REMOVED]nt.php

This is most probably a counter to find out how many users are infected. This could also be a way for the malware writer to quantify his profit. Who knows, malware nowadays are mostly driven and motivated financially.

Signing off Skype,
Francis






<<< Video - Rock Phish
|
Question of the day >>>