May 07 2010
Skype – New target of the worm spreading via IM
Only a few days after the emergence of the worm spreading via Yahoo! Messenger (Ymfocard), we have detected a new and more sophisticated wave of attacks targeting both Skype and Yahoo! Messenger.
Messages with different contents sent via Skype
Still using the method of inserting malicious URLs into chat windows like Ymfocard, however, social engineering skill of the Worm, this time, is much more sophisticated than the previous one.
Each time spreading, the messages sent by the Worm have different contents, for example, “Does my new hair style look good? bad? perfect?“, “My printer is about to be thrown through a window if this pic won’t come our right. You see anything wrong with it?“… The users are more easily tricked into clicking the link by these messages, because users tend to think that “their friend(s)” are asking for advices. Moreover, the URL shows a .JPG file to users, reinforcing the users’ thought of an image file.
If an user clicks the link, his browser will immediately load to a website with Rapidshare-like interface, and a .zip file will be available for download.
Rapidshare-like interface
A .zip file is available for download
The extracted file is actually an executable file with .com extension. However, this file is disguised as a .JPG file and cleverly covered as a .com domain (where the file is hosted).
After analyzing the worm, we find out that the worm has more compilicated functions and operations than Ymfocard. The worm:
- Automatically exits if the victim’s computer is not installed with Skype or Yahoo! Messenger.
- Automatically sends messages with different contents containing malicious URLs to user names in Skype/Yahoo! Messenger friend list of the user
- Automatically injects malicious link in to Word, Excel files or email that being composed.
- Connects to IRC server to receive commands from hacker
- Blocks operations of antivirus software
- Anti virtual machine and sandbox
- Uses rootkit technique to hide its files and processes
- Prevents users from accessing more than 700 websites of security or antivirus
- Automatically copies itself along with file Autorun.inf into USB drives to spread
Bkav has detected this Worm as W32.Skyhoo.Worm
Once again, we would recommend IM users to be careful before clicking any links received, even from your friends or relatives. Besides, users should regularly update their antivirus softwares on their computers.
Bkis
[...] (Credit: Bkis) [...]
[...] (Credit:Bkis) [...]
Hi,
“* Anti virtual machine and sandbox”
Does this mean the malware can detect if it is run whin a virtual machine (for example, for testing/analysis), and effectively infect the host OS through the virtual machine? I’ve always wondered about the possibility of this happening.
Thanks,
Yuri
[...] (Credit: Bkis) [...]
[...] The malware arrives via instant message through Yahoo or Skype with any one of a number of messages, including “Does my new hair style look good? bad? perfect?” or “My printer is about to be thrown through a window if this pic won’t come out right. You see anything wrong with it?” Bkis wrote in a blog post. [...]
[...] (Credit: Bkis) [...]
[...] (Credit:Bkis) [...]
[...] BKIS (Bach Khoa Internetwork Security) researchers May 7 said the attack comes via messages such as, “Does my new hairstyle look good? bad? perfect?” and “My printer is about to be thrown through a window if this pic won’t come our right. You see anything wrong with it?” The messages contain malicious links. [...]
[...] Security researchers from Vietnamese antivirus vendor Bkis are again amongst the first to report on the new attacks, which, this time, have extended beyond YM and affect Skype too. “Still using the method of inserting malicious URLs into chat windows like [their alias for the worm discovered earlier this week], however, social engineering skill of the Worm, this time, is much more sophisticated than the previous one,” they warn. [...]
[...] Source: Bkis [...]
[...] [...]
[...] the malware arrives via instant message through Yahoo or Skype with various types of messages. In a blog-post written on the Bkis Blog, the link looks like a jpeg/ image file link. When the user clicks on the web-page link he is taken [...]
(Credit: Bkis)
[...] kan geïnfecteerd worden door de worm te downloaden van een op Rapidshare gelijkende site, schrijft beveiligingsbedrijf Bkis. De gebruiker denkt een foto te downloaden van een vriend, die de link via [...]
[...] [...]
[...] (Credit: Bkis) [...]
[...] (Credit: Bkis) [...]
[...] security researcher has reported in his blog, Bkis Blog, that a new worm is spreading in Yahoo Messenger and [...]
[...] de vorige week opgedoken Ymfocard-worm in Yahoo Messenger. De nieuwe variant, door antivirusbedrijf Bkis geïdentificeerd als W32.Skyhook.Worm, verspreidt zich nu ook via [...]
[...] Bkis has named the worm W32.Skyhoo.Worm. Be very careful when accessing links through Yahoo Messenger and Skype. Be sure you know who the content is coming from and remember that it is generally a bad idea to click through on links unless you absolutely know where the link will take you and who it’s from. [...]
[...] is perhaps one of the most interesting campaigns due to the fact that it’s propagating across Skype and Yahoo! Messenger, and is also attempting to avoid automatic detection by engaging in a conversation with the [...]
[...] Networkworld | BKIS Comparte este [...]
[...] Recent exploits of Yahoo! Messenger and Skype point to another infection vector outside the browser — the IM client. Why the IM client? That part is easy — it’s a fairly popular app people use to communicate. In many respects, the recent IM Client exploits are simply a substitute for exploits through email. Of course with many people using IM clients in addition to email, IM becomes another target rich vector to exploit with links to malware. In addition, many users consider IMs more trustworthy since spam hasn’t quite exploited IM like it has email. So when you get an IM from a friend, you are more likely to trust its content. In the case of these recent exploits, the victim gets an IM from a friend with an embedded link. See below for a screen capture of the Skype IM client from Bkis Task Force Blog. Skype IM client exploit (from http://blog.bkis.com/en/skype-new-target-of-the-worm-spreading-via-im/) [...]
[...] this month warned of a vicious virus targeting both Skype and Yahoo! Messenger. BKIS said in a blog post the attack involved inserting malicious URLs into chat windows with sophisticated social [...]