Skype worm spreads, using LOL trick to infect unwary users

Skype worm spreads, infecting unwary users who fall for LOL trick

SkypeSkype users are warned to be on their guard, regarding malicious instant messages that have been sent through the service, designed to infect Windows computers.

A malicious worm is taking advantage of the Skype API to spam out messages similar to the one below:

lol is this your new profile pic?[REDACTED]?img=[USERNAME]

Clicking on the suspicious links leads to the download of a ZIP files (variously called or that contains executable files detected by Sophos anti-virus products as Troj/Agent-YCW or Troj/Agent-YDC.

The Trojan horse opens a backdoor, allowing a remote hacker to take control of infected PCs, communicating with a remote server via HTTP.

On execution the malware copies itself to

%PROFILE%\Application Data\Jqfsfb.exe

and sets the autostart entry as below:

entry_location = "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
entry          = "Jqfsfb"
description    = "Skype "
publisher      = "Skype Technologies S.A."
image          = "c:\documents and settings\support\application data\jqfsfb.exe"
launch_string  = "C:\Documents and Settings\support\Application Data\Jqfsfb.exe"

Before you know it, your passwords could have been stolen, your computer could be recruited into a botnet (the malware is a variant of the Dorkbot worm) and you could have fallen victim to a ransomware attack.

There have been many variants of the Dorkbot attack spotted over the least year or so, spreading via Facebook and Twitter. The threat can also spread via USB sticks, and various instant messaging protocols.

The danger is, of course, that Skype users may be less in the habit of being suspicious about links sent to them than, say, Facebook users.

Always remember to be suspicious of unsolicited out-of-character messages sent to you by your online friends.

You don’t know that it was a friend who sent you the message, all you know is that it was their account which posted it to you… and who knows if it was compromised or not?

Update: A Skype spokesperson contacted Naked Security to give us the following statement:

"Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable."

Thanks to Anna and Julie at SophosLabs for their assistance with this article.