Skype Ransomware Worm Spreading Fast, Says Trend Micro

By Kevin Parrish
published

There's a Skype Trojan that will possibly lock users out of their PC, demanding $200, if infected.

Several security firms are warning Windows-based Skype users to be on their guard when receiving instant messages sent though the popular VoIP service.

According to the reports, a malicious worm is reportedly taking advantage of the Skype API to spam a message about a user's possible profile picture. Curious recipients clicking on the link are lead to a ZIP file hosted on Hotflie.com (variously called skype_06102012_image.zip or skype_08102012_image.zip) containing a malicious executable inside.

"We detect this initial downloader as TROJ_DLOADER.IF," Trend Micro reports. "The executable installs a variant of the Dorkbot worm, detected as WORM_DORKBOT.IF (also known as NRGbot). On installation, this worm appears to initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet."

The infection will install a ransomware variant, locking the user out of the machine. Users are then told that their files have been encrypted, and that they will be deleted unless the user coughs up $200 within 48 hours. Trend Micro reports that this worm is spreading fast, and that the malware is still under investigation.

Sophos reports that the instant message leading to the malware includes the following or something similar:

lol is this your new profile pic? http://goo.gl/[REDACTED]?img=[USERNAME]

Sophos says that the executable found within the zip file is Troj/Agent-YCW or Troj/Agent-YDC. The Trojan horse opens a backdoor, allowing a hacker to take control of an infected PC from a remote location, and to communicate with a remote server via HTTP.

"There have been many variants of the Dorkbot attack spotted over the least year or so, spreading via Facebook and Twitter," Sophos reports. "The threat can also spread via USB sticks, and various instant messaging protocols. The danger is, of course, that Skype users may be less in the habit of being suspicious about links sent to them than, say, Facebook users."

Reports of the Skype scam seemingly began on Thursday. "Just got the lol is this your profile pic," reports one user. "It was sent several times ... I downloaded it and it came as a .zip ... I realized it was a virus and deleted the .zip file but did not open it."

"Got this message in SKYPE from a friend. Is this originating from His SKYPE?" reports another user. "YES---I clicked it, thinking it was from him."

Skype told TechCrunch that it "takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact."

Skype users are urged to upgrade to the newest Skype version, install all Windows security patches, and update their anti-virus client. Users should also avoid clicking on links that look strange, even if they come from strange friends.

Trend Micro reportedly said that more than 400 infections have been detected over the last 12 hours.

Contact Us for News Tips, Corrections and Feedback

Kevin Parrish
28 Comments Comment from the forums
  • billgatez
    People still fall for this kind of stuff?
    Reply
  • Believe it or not, regardless of whether or not the world is getting more technological with the advent of phones with computing power, people still cannot look after their own computers as they would with say cars.

    Heck some people can't even do simple maintenance on anything really.
    Reply
  • echondo
    You've got to be kidding me -_- this is the same thing that has been happening over Facebook for years now and yet nobody learns!

    Guess idiots will be idiots!
    Reply
  • frombehind
    damn, I remember the first few times this was tried... they were only asking for 40 bucks back then. Word was they netted almost 80mil in about a week.

    On one hand, I want to say I am in the wrong line of work... =D

    On the other, I really hope these people are burnt at the stake for this, only because if they aren't... that would be like the FBI declaring "open season" on the casual computer users.
    Reply
  • adgjlsfhk
    Couldn't you delete this after you are locked out by restarting your computer in safe mode with internet disconnected and ending the process?
    Reply
  • A Bad Day
    Skype users are urged to upgrade to the newest Skype version, install all Windows security patches, and update their anti-virus client.

    I know people who still uses IE7 on their vanilla Windows Vista...
    Reply
  • beayn
    adgjlsfhkCouldn't you delete this after you are locked out by restarting your computer in safe mode with internet disconnected and ending the process?Not sure about the details on this one, but some of them take over exe file associations so you can't run anything, even going as far as disabling task manager, regedit and command prompt.

    Others add a few thousand registry entry to block nearly every known antivirus / antimalware program from running. I usually find it fun to remove these types of things from client computers, to see if the author thought of all the tricks...etc.
    Reply
  • The-Darkening
    adgjlsfhkCouldn't you delete this after you are locked out by restarting your computer in safe mode with internet disconnected and ending the process?
    I don't think the people that gets infected with this can do that...
    Reply
  • MAC_HATER
    im sure the creator of it sat in a dark room with 1's and 0's projected onto the walls while he used a laptop while wearing a balaclava

    oh stock photos you so funny
    Reply
  • assasin32
    Yup people sadly fall for this crap, I have to reinstal an OS because my family member downloaded not once but twice in one month something that the "computer" said they needed to watch their videos online. Or to "speed up & fix" the computer. Dispite the fact that I setup the computer and have it fully automated to clean, run virus scans, defrag, etc and all the software they need to do everything they want and told them this.

    Their complaint was the video wasn't working on some unknown website that doesn't give you a good download speed or randomly times out. I fixed it the first time around, second time around the machine is fubar and not worth the hassle anymore I am just going to force them to backup their files and I will redo the OS, though the word "backup" makes them enter stupid mode despite telling them all I want them to do is copy & paste their files to this folder.

    So yes I am not surprised that these attacks still work. When in doubt attack the weakest point of security which is generally the user, prey on ignorance it's easier than trying to exploit a machine. I am sure we all have these kind of stories sadly, so it should come to no surprise.
    Reply