Yup! There is another Skype worm on the loose and our detection for it is IM-Worm:W32/Pykse.A. It spreads by sending a message with a malware link to all online friends in Skype's contact list using the Skype API.
The message is randomly chosen from the following list:
Before sending the message, it will set the infected Skype user's status to DND (Do Not Disturb). As a side effect, it will not actively notify the user of calls or messages as shown in the warning message below:
Once the link is clicked, it will redirect and download the malware file:
Once you have downloaded and executed the file from the link, it will show you a picture of a lightly dressed woman, to avoid suspicion:
So what's the motive behind this worm?
It seems that it is promoting the following websites: http://aras.lookingat.us/index.htm http://asilas.my-php.net/index.html http://bobodada.3-hosting.net/index.html http://bobos45.bebto.com/index.html http://gogo442.hatesit.com/index.html http://jackdaniels.110mb.com/index.html http://timboss.1majorhost.com/index.html http://zozole.php0h.com/index.html
These websites all look the same. Here's a sample screenshot:
The following site is also visited:
http://aras.allfreehost.net/cal[REMOVED]nt.php
This is most probably a counter to find out how many users are infected. This could also be a way for the malware writer to quantify his profit. Who knows, malware nowadays are mostly driven and motivated financially.
