Sign in with
Sign up | Sign in

Skype Ransomware Worm Spreading Fast, Says Trend Micro

By - Source: Trend Micro | B 28 comments

There's a Skype Trojan that will possibly lock users out of their PC, demanding $200, if infected.

Several security firms are warning Windows-based Skype users to be on their guard when receiving instant messages sent though the popular VoIP service.

According to the reports, a malicious worm is reportedly taking advantage of the Skype API to spam a message about a user's possible profile picture. Curious recipients clicking on the link are lead to a ZIP file hosted on Hotflie.com (variously called skype_06102012_image.zip or skype_08102012_image.zip) containing a malicious executable inside.

"We detect this initial downloader as TROJ_DLOADER.IF," Trend Micro reports. "The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF (also known as NRGbot). On installation, this worm appears to initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet."

The infection will install a ransomware variant, locking the user out of the machine. Users are then told that their files have been encrypted, and that they will be deleted unless the user coughs up $200 within 48 hours. Trend Micro reports that this worm is spreading fast, and that the malware is still under investigation.

Sophos reports that the instant message leading to the malware includes the following or something similar:

lol is this your new profile pic? http://goo.gl/[REDACTED]?img=[USERNAME]

Sophos says that the executable found within the zip file is Troj/Agent-YCW or Troj/Agent-YDC. The Trojan horse opens a backdoor, allowing a hacker to take control of an infected PC from a remote location, and to communicate with a remote server via HTTP.

"There have been many variants of the Dorkbot attack spotted over the least year or so, spreading via Facebook and Twitter," Sophos reports. "The threat can also spread via USB sticks, and various instant messaging protocols. The danger is, of course, that Skype users may be less in the habit of being suspicious about links sent to them than, say, Facebook users."

Reports of the Skype scam seemingly began on Thursday. "Just got the lol is this your profile pic," reports one user. "It was sent several times ... I downloaded it and it came as a .zip ... I realized it was a virus and deleted the .zip file but did not open it."

"Got this message in SKYPE from a friend. Is this originating from His SKYPE?" reports another user. "YES---I clicked it, thinking it was from him."

Skype told TechCrunch that it "takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact."

Skype users are urged to upgrade to the newest Skype version, install all Windows security patches, and update their anti-virus client. Users should also avoid clicking on links that look strange, even if they come from strange friends.

Trend Micro reportedly said that more than 400 infections have been detected over the last 12 hours.

 

Contact Us for News Tips, Corrections and Feedback

Discuss
Display all 28 comments.
This thread is closed for comments
Top Comments
  • 15 Hide
    billgatez , October 9, 2012 12:48 AM
    People still fall for this kind of stuff?
  • 12 Hide
    echondo , October 9, 2012 1:23 AM
    You've got to be kidding me -_- this is the same thing that has been happening over Facebook for years now and yet nobody learns!

    Guess idiots will be idiots!
  • 10 Hide
    Anonymous , October 9, 2012 1:08 AM
    Believe it or not, regardless of whether or not the world is getting more technological with the advent of phones with computing power, people still cannot look after their own computers as they would with say cars.

    Heck some people can't even do simple maintenance on anything really.
Other Comments
  • 15 Hide
    billgatez , October 9, 2012 12:48 AM
    People still fall for this kind of stuff?
  • 10 Hide
    Anonymous , October 9, 2012 1:08 AM
    Believe it or not, regardless of whether or not the world is getting more technological with the advent of phones with computing power, people still cannot look after their own computers as they would with say cars.

    Heck some people can't even do simple maintenance on anything really.
  • 12 Hide
    echondo , October 9, 2012 1:23 AM
    You've got to be kidding me -_- this is the same thing that has been happening over Facebook for years now and yet nobody learns!

    Guess idiots will be idiots!
  • 5 Hide
    frombehind , October 9, 2012 1:29 AM
    damn, I remember the first few times this was tried... they were only asking for 40 bucks back then. Word was they netted almost 80mil in about a week.

    On one hand, I want to say I am in the wrong line of work... =D

    On the other, I really hope these people are burnt at the stake for this, only because if they aren't... that would be like the FBI declaring "open season" on the casual computer users.
  • -3 Hide
    adgjlsfhk , October 9, 2012 1:36 AM
    Couldn't you delete this after you are locked out by restarting your computer in safe mode with internet disconnected and ending the process?
  • 4 Hide
    A Bad Day , October 9, 2012 1:56 AM
    Quote:
    Skype users are urged to upgrade to the newest Skype version, install all Windows security patches, and update their anti-virus client.


    I know people who still uses IE7 on their vanilla Windows Vista...
  • 4 Hide
    beayn , October 9, 2012 1:58 AM
    adgjlsfhkCouldn't you delete this after you are locked out by restarting your computer in safe mode with internet disconnected and ending the process?
    Not sure about the details on this one, but some of them take over exe file associations so you can't run anything, even going as far as disabling task manager, regedit and command prompt.

    Others add a few thousand registry entry to block nearly every known antivirus / antimalware program from running. I usually find it fun to remove these types of things from client computers, to see if the author thought of all the tricks...etc.
  • 3 Hide
    The-Darkening , October 9, 2012 2:05 AM
    adgjlsfhkCouldn't you delete this after you are locked out by restarting your computer in safe mode with internet disconnected and ending the process?


    I don't think the people that gets infected with this can do that...
  • 6 Hide
    MAC_HATER , October 9, 2012 2:08 AM
    im sure the creator of it sat in a dark room with 1's and 0's projected onto the walls while he used a laptop while wearing a balaclava

    oh stock photos you so funny
  • 3 Hide
    assasin32 , October 9, 2012 2:11 AM
    Yup people sadly fall for this crap, I have to reinstal an OS because my family member downloaded not once but twice in one month something that the "computer" said they needed to watch their videos online. Or to "speed up & fix" the computer. Dispite the fact that I setup the computer and have it fully automated to clean, run virus scans, defrag, etc and all the software they need to do everything they want and told them this.

    Their complaint was the video wasn't working on some unknown website that doesn't give you a good download speed or randomly times out. I fixed it the first time around, second time around the machine is fubar and not worth the hassle anymore I am just going to force them to backup their files and I will redo the OS, though the word "backup" makes them enter stupid mode despite telling them all I want them to do is copy & paste their files to this folder.

    So yes I am not surprised that these attacks still work. When in doubt attack the weakest point of security which is generally the user, prey on ignorance it's easier than trying to exploit a machine. I am sure we all have these kind of stories sadly, so it should come to no surprise.
  • 3 Hide
    jupiter optimus maximus , October 9, 2012 2:20 AM
    echondoYou've got to be kidding me -_- this is the same thing that has been happening over Facebook for years now and yet nobody learns!Guess idiots will be idiots!

    Don't use facebook and haven't know about this infection until now.
  • 0 Hide
    A Bad Day , October 9, 2012 3:57 AM
    beaynNot sure about the details on this one, but some of them take over exe file associations so you can't run anything, even going as far as disabling task manager, regedit and command prompt.Others add a few thousand registry entry to block nearly every known antivirus / antimalware program from running. I usually find it fun to remove these types of things from client computers, to see if the author thought of all the tricks...etc.


    There was one virus that corrupted task manager, regedit, and command prompt, which required an OS reinstall to fix.

    Although the McAfee OAS didn't pick it up, I manually deleted the virus because the folder containing the 100 MB monster was conveniently located in "My Documents".
  • 0 Hide
    techcurious , October 9, 2012 4:11 AM
    assasin32.. though the word "backup" makes them enter stupid mode despite telling them all I want them to do is copy & paste their files to this folder.

    Make sure you check to see if they did actually copy the files, rather than create shortcuts! ;) 
    "I don't understand what's the problem.. Look. When I double click on the file here it opens... so it's copied. See?"
    How many times have we seen people create a shortcut to a file, on their USB flash drive, test the file and make sure it works, and then scratch their heads when the file wont open on another PC? hehe
  • 1 Hide
    chulex67 , October 9, 2012 4:40 AM
    i have to say that if you are a frequent user of this website and u download the file then u either had one of those 3 stupid moments in your life and u went full retard or u are just plain retarded.
  • 1 Hide
    bin1127 , October 9, 2012 5:19 AM
    I don't know about you guys, but I'm always glad to help out my long lost uncle in cambodia with his 4th liver transplant.
  • 0 Hide
    aaron88_7 , October 9, 2012 5:39 AM
    This is where not enough people are mentioning the awesome program that is Sandboxie
  • 0 Hide
    ko888 , October 9, 2012 6:11 AM
    adgjlsfhkCouldn't you delete this after you are locked out by restarting your computer in safe mode with internet disconnected and ending the process?

    You must have missed the part where it encrypts your data files. How does disconnecting from the internet help you to get the data files back especially if you don't have backup copies of those data files before the worm encrypted them.
    The ransom part is to get you to pay them within a certain time period to have them decrypted or the data files will be deleted.
  • 0 Hide
    cphorn15 , October 9, 2012 6:18 AM
    I honestly just had a customer try to purchase a Green Dot Moneypak card for $200 dollars in order to unlock his computer. I guess this must be what he was talking about. I just told him to take it to Geek Squad since he doesn't seem to understand scams anyway.
  • 0 Hide
    assasin32 , October 9, 2012 6:55 AM
    techcuriousMake sure you check to see if they did actually copy the files, rather than create shortcuts! "I don't understand what's the problem.. Look. When I double click on the file here it opens... so it's copied. See?"How many times have we seen people create a shortcut to a file, on their USB flash drive, test the file and make sure it works, and then scratch their heads when the file wont open on another PC? hehe


    Ohh that one I never thought of, I be sure to double check for that, thanks. I would hate to be at family dinners for the next few years if that's what they did.
  • 0 Hide
    Pherule , October 9, 2012 11:23 AM
    Got send a link to the file from a contact. This was three days ago so I was not aware that it was malicious.

    I downloaded the zip, unzipped it, then checked the extension of the file inside. I was expecting .jpg or .png due to the message stating it was a picture. When I saw .exe I thought lolno, not opening that.

    So I deleted it. So far so good. No infections.
    I'm running Comodo Internet Security, Malwarebytes, and Comodo Firewall. Oddly enough neither Comodo nor Malwarebytes detected it as a virus. A good antivirus should be capable of picking up zero-day malware, so this makes me wonder...
Display more comments