According to the reports, a malicious worm is reportedly taking advantage of the Skype API to spam a message about a user's possible profile picture. Curious recipients clicking on the link are lead to a ZIP file hosted on Hotflie.com (variously called skype_06102012_image.zip or skype_08102012_image.zip) containing a malicious executable inside.
"We detect this initial downloader as TROJ_DLOADER.IF," Trend Micro reports. "The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF (also known as NRGbot). On installation, this worm appears to initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet."
The infection will install a ransomware variant, locking the user out of the machine. Users are then told that their files have been encrypted, and that they will be deleted unless the user coughs up $200 within 48 hours. Trend Micro reports that this worm is spreading fast, and that the malware is still under investigation.
Sophos reports that the instant message leading to the malware includes the following or something similar:
lol is this your new profile pic? http://goo.gl/[REDACTED]?img=[USERNAME]
Sophos says that the executable found within the zip file is Troj/Agent-YCW or Troj/Agent-YDC. The Trojan horse opens a backdoor, allowing a hacker to take control of an infected PC from a remote location, and to communicate with a remote server via HTTP.
"There have been many variants of the Dorkbot attack spotted over the least year or so, spreading via Facebook and Twitter," Sophos reports. "The threat can also spread via USB sticks, and various instant messaging protocols. The danger is, of course, that Skype users may be less in the habit of being suspicious about links sent to them than, say, Facebook users."
Reports of the Skype scam seemingly began on Thursday. "Just got the lol is this your profile pic," reports one user. "It was sent several times ... I downloaded it and it came as a .zip ... I realized it was a virus and deleted the .zip file but did not open it."
"Got this message in SKYPE from a friend. Is this originating from His SKYPE?" reports another user. "YES---I clicked it, thinking it was from him."
Skype told TechCrunch that it "takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact."
Skype users are urged to upgrade to the newest Skype version, install all Windows security patches, and update their anti-virus client. Users should also avoid clicking on links that look strange, even if they come from strange friends.
Trend Micro reportedly said that more than 400 infections have been detected over the last 12 hours.