Skype worm spreads, using LOL trick to infect unwary users

Filed Under: Botnet, Featured, Malware, Ransomware

SkypeSkype users are warned to be on their guard, regarding malicious instant messages that have been sent through the service, designed to infect Windows computers.

A malicious worm is taking advantage of the Skype API to spam out messages similar to the one below:

lol is this your new profile pic? http://goo.gl/[REDACTED]?img=[USERNAME]

Clicking on the suspicious links leads to the download of a ZIP files (variously called skype_06102012_image.zip or skype_08102012_image.zip) that contains executable files detected by Sophos anti-virus products as Troj/Agent-YCW or Troj/Agent-YDC.

The Trojan horse opens a backdoor, allowing a remote hacker to take control of infected PCs, communicating with a remote server via HTTP.

On execution the malware copies itself to

%PROFILE%\Application Data\Jqfsfb.exe

and sets the autostart entry as below:

entry_location = "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
entry          = "Jqfsfb"
description    = "Skype "
publisher      = "Skype Technologies S.A."
image          = "c:\documents and settings\support\application data\jqfsfb.exe"
launch_string  = "C:\Documents and Settings\support\Application Data\Jqfsfb.exe"

Before you know it, your passwords could have been stolen, your computer could be recruited into a botnet (the malware is a variant of the Dorkbot worm) and you could have fallen victim to a ransomware attack.

There have been many variants of the Dorkbot attack spotted over the least year or so, spreading via Facebook and Twitter. The threat can also spread via USB sticks, and various instant messaging protocols.

The danger is, of course, that Skype users may be less in the habit of being suspicious about links sent to them than, say, Facebook users.

Always remember to be suspicious of unsolicited out-of-character messages sent to you by your online friends.

You don't know that it was a friend who sent you the message, all you know is that it was their account which posted it to you... and who knows if it was compromised or not?

Update: A Skype spokesperson contacted Naked Security to give us the following statement:

"Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable."

Thanks to Anna and Julie at SophosLabs for their assistance with this article.

, , , , , ,

You might like

26 Responses to Skype worm spreads, using LOL trick to infect unwary users

  1. Epicblood · 747 days ago

    I got this spam sent to me, apparently it breaks if you message back.

  2. lesexdanslacite · 747 days ago

    hum verry bad day for skype user

  3. i have another sample of this sent to a friend of mine if any guys interested let me know

  4. jamesgryffindor99 · 747 days ago

    I got this scam a few days ago and I scanned with Panda (I am on Windows) and it was detected as suspicious, im glad i deleted it

  5. All you have to do would be put your security settings so no one can work on it remotely.This is simple enough to do.

  6. dunxd · 747 days ago

    It's all very well warning skype users to be on their guard, but what is the advice from Sophos to its customers in dealing with this where users have clearly been infected?

    • Graham Cluley · 746 days ago

      Sophos detects the malware involved (we list what we detect it as in the article) - so our products should be able to help you if you were unfortunate enough to have become infected. Any problems, please contact our support team.

      Hope that helps.

  7. Guido Faulkes · 747 days ago

    I don't think this works on Vista or Win7, I mean the autorun registry value probably cannot be written without admin grant and post-XP OSes do not grant that by default.

    In fact I cannot see why this is called malware per se. User running code ruining self is not malware, because there is no exploit involved, it's just a self-imposed Darwin Award.

    • Graham Cluley · 746 days ago

      "User running code ruining self is not malware, because there is no exploit involved, it's just a self-imposed Darwin Award. "

      In which case, the vast majority of malware we see each day isn't considered by you to be malware. As most of the Trojans, viruses and worms that we see don't exploit any vulnerabilities other than the bugs in people's brains, and use social engineering instead to trick users into running them.

      Your definition of malware doesn't match that used by the majority of people - and I think most folks would be upset if we only detected the malware that exploited software vulnerabilities.

  8. Mathias · 747 days ago

    I've seen this message in English, Swedish, German and Thai so far. All within a few minutes. The company where I work use Skype for some types of connunication, so I guess we've had a few people infected so far.

    Does anyone know for sure if these messages are sent only from users that are infected, or if it poses as other people on your contact list? Judging from the different languages in which I've received the message (and from who), it appears that the message is in Thai from Thai users etc. This could indicate that the worm uses the infected users location to select the message language.

    If the worm would have used the recipient's location for language selection, I wouldn't have gotten messages in Thai from users in Thailand and in German from users in Germany I think.

  9. Mahdi Hasan · 746 days ago

    I got this also tomorrow but i clicked it, what can I do now?

    • Graham Cluley · 745 days ago

      You may want to scan your computer with an up-to-date anti-virus.

      It may also be friendly to warn any friends that you could have passed the message onto to watch out for unsolicited messages from you.

  10. vigilum · 746 days ago

    Well Eng/Ger messages are not so suprising, however there has also been an outbreak of this worm in Czech Republic with messages in Czech, which I haven't seen for quite a while (OK, Thai suprised me a little bit too.). I rather wonder whether is uses translator or has translated string saved in it.

    Messages are sent as soon as you get infected and only from infected users, sometimes even repeatedly.

    P.S. It works even on Windows 7 - seen at least two infected users (but there is possibility of UAC turned off or modfied version of worm).

    • leocooper · 743 days ago

      I've seen that message in Finnish but it was a really poor translation, probably done with Bing or Google Translate so that might explain the other languages too.

  11. NotSkypeUser · 745 days ago

    Does this issue affect the Mac version of Skype?

    • Graham Cluley · 745 days ago

      You can certainly receive the messages via Skype on a Mac. However, the malware we have seen so far targets Windows computers.

  12. Richard Hodgson · 744 days ago

    A note to all: The executable isn't always Jqfsfb.exe - It appears to have changed in a recent outbreak we had this morning.

  13. Heino Schmidt · 740 days ago

    Hello,

    one user download this zip file but Sophos detect no Trojan!

    He save this file and i send this sample to Sophos.

  14. Heino Schmidt · 739 days ago

    Hello,

    sophos wrote back:

    The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.

    Skype_10162012_foto.exe -- identity created/updated (New detection Troj/Agent-YGT)

    Skype_10162012_foto.zip -- archive file

    Cool Work!

  15. ParallaxView · 733 days ago

    It appears if people manually run a scan on their system they can clean off the virus, but I am unable to tell Sophos to clean off the virus through the Enterprise Console.

    When I select "Resolve Alerts and Errors", I then check the box(s) next to the virus and click "Cleanup", I get an error stating "None of these alerts can be cleaned up." That's a pretty big limitation with the Enterprise Console.

  16. silenthuntervanguard · 678 days ago

    I have Fedora 16 Linux. I assume this doesn't affect Linux? I'm sure even if it did, SELinux would nuke it, right?

  17. dork · 617 days ago

    wtf just received this, how can i get rid of it??

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.