Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Skype worm

Published: 2007-09-10
Last Updated: 2007-09-11 08:29:28 UTC
by Maarten Van Horenbeeck (Version: 3)
0 comment(s)

A worm is currently spreading which is specifically aimed at Skype users. Known as Ramex, Skipi or Pykspa, it abuses the chat function of Skype to send a short message containing a link to a seemingly benign JPEG file to other users. Users that click on the link will download and run a copy of the worm, and start to infect others.

The binary is not packed and easy to dissect. It contains code to turn off several security applications, and alters the hosts file to disable the downloading of updates. It then uses the Skype API to send the following messages in Lithuanian and English, depending on the client's user interface:

pala biski
 :S
as net nezinau ka tavo vietoj daryciau.
matai :D
geras ane ?
patinka?
kas cia tavim taip isderge ? =]]
cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D
cia tu isimetei ?
zek kur tavo foto metos isdergta
(mm) kaip as taves noriu
ziurek kur tavo foto imeciau :D
esi?
labas
what ur friend name wich is in photo ?
this (happy) sexy one
u happy ?
oh sry not for u
oops sorry please don't look there :S
you checked ?
(rofl)
(devil)
really funny
now u populr
haha lol
look what crazy photo Tiffany sent to me,looks cool
I used photoshop and edited it
where I put ur photo :D
your photos looks realy nice
look
how are u ? :)

Skype's heartbeat has a brief entry on this new malcode which contains manual removal instructions. Samples of the worm have been gathered and are currently under analysis to improve anti virus coverage. In the meanwhile, you may wish to educate your users not to click on these appearingly benign links.

--
Maarten Van Horenbeeck

Keywords:
0 comment(s)
Diary Archives