Sophos Cloud Optix
Skype users are warned to be on their guard, regarding malicious instant messages that have been sent through the service, designed to infect Windows computers.
A malicious worm is taking advantage of the Skype API to spam out messages similar to the one below:
lol is this your new profile pic? http://goo.gl/[REDACTED]?img=[USERNAME]
Clicking on the suspicious links leads to the download of a ZIP files (variously called skype_06102012_image.zip or skype_08102012_image.zip) that contains executable files detected by Sophos anti-virus products as Troj/Agent-YCW or Troj/Agent-YDC.
The Trojan horse opens a backdoor, allowing a remote hacker to take control of infected PCs, communicating with a remote server via HTTP.
On execution the malware copies itself to
%PROFILE%\Application Data\Jqfsfb.exe
and sets the autostart entry as below:
entry_location = "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" entry = "Jqfsfb" description = "Skype " publisher = "Skype Technologies S.A." image = "c:\documents and settings\support\application data\jqfsfb.exe" launch_string = "C:\Documents and Settings\support\Application Data\Jqfsfb.exe"
Before you know it, your passwords could have been stolen, your computer could be recruited into a botnet (the malware is a variant of the Dorkbot worm) and you could have fallen victim to a ransomware attack.
There have been many variants of the Dorkbot attack spotted over the least year or so, spreading via Facebook and Twitter. The threat can also spread via USB sticks, and various instant messaging protocols.
The danger is, of course, that Skype users may be less in the habit of being suspicious about links sent to them than, say, Facebook users.
Always remember to be suspicious of unsolicited out-of-character messages sent to you by your online friends.
You don’t know that it was a friend who sent you the message, all you know is that it was their account which posted it to you… and who knows if it was compromised or not?
Update: A Skype spokesperson contacted Naked Security to give us the following statement:
"Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable."
Thanks to Anna and Julie at SophosLabs for their assistance with this article.
I got this spam sent to me, apparently it breaks if you message back.
Breaks how, exactly?
hum verry bad day for skype user
i have another sample of this sent to a friend of mine if any guys interested let me know
If you wish to submit any suspicious samples to our labs, please use the form at https://secure2.sophos.com/en-us/support/contact-…
Thanks
I got this scam a few days ago and I scanned with Panda (I am on Windows) and it was detected as suspicious, im glad i deleted it
All you have to do would be put your security settings so no one can work on it remotely.This is simple enough to do.
It's all very well warning skype users to be on their guard, but what is the advice from Sophos to its customers in dealing with this where users have clearly been infected?
Sophos detects the malware involved (we list what we detect it as in the article) – so our products should be able to help you if you were unfortunate enough to have become infected. Any problems, please contact our support team.
Hope that helps.
I don't think this works on Vista or Win7, I mean the autorun registry value probably cannot be written without admin grant and post-XP OSes do not grant that by default.
In fact I cannot see why this is called malware per se. User running code ruining self is not malware, because there is no exploit involved, it's just a self-imposed Darwin Award.
"User running code ruining self is not malware, because there is no exploit involved, it's just a self-imposed Darwin Award. "
In which case, the vast majority of malware we see each day isn't considered by you to be malware. As most of the Trojans, viruses and worms that we see don't exploit any vulnerabilities other than the bugs in people's brains, and use social engineering instead to trick users into running them.
Your definition of malware doesn't match that used by the majority of people – and I think most folks would be upset if we only detected the malware that exploited software vulnerabilities.
I've seen this message in English, Swedish, German and Thai so far. All within a few minutes. The company where I work use Skype for some types of connunication, so I guess we've had a few people infected so far.
Does anyone know for sure if these messages are sent only from users that are infected, or if it poses as other people on your contact list? Judging from the different languages in which I've received the message (and from who), it appears that the message is in Thai from Thai users etc. This could indicate that the worm uses the infected users location to select the message language.
If the worm would have used the recipient's location for language selection, I wouldn't have gotten messages in Thai from users in Thailand and in German from users in Germany I think.
I got this also tomorrow but i clicked it, what can I do now?
You may want to scan your computer with an up-to-date anti-virus.
It may also be friendly to warn any friends that you could have passed the message onto to watch out for unsolicited messages from you.
Well Eng/Ger messages are not so suprising, however there has also been an outbreak of this worm in Czech Republic with messages in Czech, which I haven't seen for quite a while (OK, Thai suprised me a little bit too.). I rather wonder whether is uses translator or has translated string saved in it.
Messages are sent as soon as you get infected and only from infected users, sometimes even repeatedly.
P.S. It works even on Windows 7 – seen at least two infected users (but there is possibility of UAC turned off or modfied version of worm).
I’ve seen that message in Finnish but it was a really poor translation, probably done with Bing or Google Translate so that might explain the other languages too.
Does this issue affect the Mac version of Skype?
You can certainly receive the messages via Skype on a Mac. However, the malware we have seen so far targets Windows computers.
A note to all: The executable isn't always Jqfsfb.exe – It appears to have changed in a recent outbreak we had this morning.
Hello,
one user download this zip file but Sophos detect no Trojan!
He save this file and i send this sample to Sophos.
If you encounter any files that you believe we should be detecting, please send them to SophosLabs via the form here:
https://secure2.sophos.com/en-us/support/contact-…
Thanks!
Hello,
sophos wrote back:
The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.
Skype_10162012_foto.exe — identity created/updated (New detection Troj/Agent-YGT)
Skype_10162012_foto.zip — archive file
Cool Work!
It appears if people manually run a scan on their system they can clean off the virus, but I am unable to tell Sophos to clean off the virus through the Enterprise Console.
When I select "Resolve Alerts and Errors", I then check the box(s) next to the virus and click "Cleanup", I get an error stating "None of these alerts can be cleaned up." That's a pretty big limitation with the Enterprise Console.
Sorry to hear you are having problems.
I'm afraid we're not well set up for providing product support via this forum. So i would recommend visiting http://www.sophos.com/en-us/support.aspx instead
I have Fedora 16 Linux. I assume this doesn't affect Linux? I'm sure even if it did, SELinux would nuke it, right?
wtf just received this, how can i get rid of it??