Skype Ransomware Worm Spreading Fast, Says Trend Micro
There's a Skype Trojan that will possibly lock users out of their PC, demanding $200, if infected.
Several security firms are warning Windows-based Skype users to be on their guard when receiving instant messages sent though the popular VoIP service.
According to the reports, a malicious worm is reportedly taking advantage of the Skype API to spam a message about a user's possible profile picture. Curious recipients clicking on the link are lead to a ZIP file hosted on Hotflie.com (variously called skype_06102012_image.zip or skype_08102012_image.zip) containing a malicious executable inside.
"We detect this initial downloader as TROJ_DLOADER.IF," Trend Micro reports. "The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF (also known as NRGbot). On installation, this worm appears to initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet."
The infection will install a ransomware variant, locking the user out of the machine. Users are then told that their files have been encrypted, and that they will be deleted unless the user coughs up $200 within 48 hours. Trend Micro reports that this worm is spreading fast, and that the malware is still under investigation.
Sophos reports that the instant message leading to the malware includes the following or something similar:
lol is this your new profile pic? http://goo.gl/[REDACTED]?img=[USERNAME]
Sophos says that the executable found within the zip file is Troj/Agent-YCW or Troj/Agent-YDC. The Trojan horse opens a backdoor, allowing a hacker to take control of an infected PC from a remote location, and to communicate with a remote server via HTTP.
"There have been many variants of the Dorkbot attack spotted over the least year or so, spreading via Facebook and Twitter," Sophos reports. "The threat can also spread via USB sticks, and various instant messaging protocols. The danger is, of course, that Skype users may be less in the habit of being suspicious about links sent to them than, say, Facebook users."
Reports of the Skype scam seemingly began on Thursday. "Just got the lol is this your profile pic," reports one user. "It was sent several times ... I downloaded it and it came as a .zip ... I realized it was a virus and deleted the .zip file but did not open it."
"Got this message in SKYPE from a friend. Is this originating from His SKYPE?" reports another user. "YES---I clicked it, thinking it was from him."
Skype told TechCrunch that it "takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact."
Skype users are urged to upgrade to the newest Skype version, install all Windows security patches, and update their anti-virus client. Users should also avoid clicking on links that look strange, even if they come from strange friends.
Trend Micro reportedly said that more than 400 infections have been detected over the last 12 hours.
Guess idiots will be idiots!
Heck some people can't even do simple maintenance on anything really.
Heck some people can't even do simple maintenance on anything really.
Guess idiots will be idiots!
On one hand, I want to say I am in the wrong line of work... =D
On the other, I really hope these people are burnt at the stake for this, only because if they aren't... that would be like the FBI declaring "open season" on the casual computer users.
I know people who still uses IE7 on their vanilla Windows Vista...
Others add a few thousand registry entry to block nearly every known antivirus / antimalware program from running. I usually find it fun to remove these types of things from client computers, to see if the author thought of all the tricks...etc.
I don't think the people that gets infected with this can do that...
oh stock photos you so funny
Their complaint was the video wasn't working on some unknown website that doesn't give you a good download speed or randomly times out. I fixed it the first time around, second time around the machine is fubar and not worth the hassle anymore I am just going to force them to backup their files and I will redo the OS, though the word "backup" makes them enter stupid mode despite telling them all I want them to do is copy & paste their files to this folder.
So yes I am not surprised that these attacks still work. When in doubt attack the weakest point of security which is generally the user, prey on ignorance it's easier than trying to exploit a machine. I am sure we all have these kind of stories sadly, so it should come to no surprise.
Don't use facebook and haven't know about this infection until now.
There was one virus that corrupted task manager, regedit, and command prompt, which required an OS reinstall to fix.
Although the McAfee OAS didn't pick it up, I manually deleted the virus because the folder containing the 100 MB monster was conveniently located in "My Documents".
Make sure you check to see if they did actually copy the files, rather than create shortcuts!
"I don't understand what's the problem.. Look. When I double click on the file here it opens... so it's copied. See?"
How many times have we seen people create a shortcut to a file, on their USB flash drive, test the file and make sure it works, and then scratch their heads when the file wont open on another PC? hehe
You must have missed the part where it encrypts your data files. How does disconnecting from the internet help you to get the data files back especially if you don't have backup copies of those data files before the worm encrypted them.
The ransom part is to get you to pay them within a certain time period to have them decrypted or the data files will be deleted.
Ohh that one I never thought of, I be sure to double check for that, thanks. I would hate to be at family dinners for the next few years if that's what they did.
I downloaded the zip, unzipped it, then checked the extension of the file inside. I was expecting .jpg or .png due to the message stating it was a picture. When I saw .exe I thought lolno, not opening that.
So I deleted it. So far so good. No infections.
I'm running Comodo Internet Security, Malwarebytes, and Comodo Firewall. Oddly enough neither Comodo nor Malwarebytes detected it as a virus. A good antivirus should be capable of picking up zero-day malware, so this makes me wonder...