Since Saturday, there’s a worm actively spreading through (mainly) Skype as well as Messenger (Windows Messenger, Microsoft MSN Messenger).
The link refers to goo.gl and is actually Google’s URL Shortener service. You’ll land on Hotfile.com, which is a legitimate file sharing website. (it’s not the first time Hotfile has been used to spread malware, read more here)
Positive thing is that it is a ZIP file and not an EXE. This means the user still has to manually unpack and run the malware. Inside our ZIP file we’ll find the following file, which is covered as a Skype setup file:
When executing this file, another file (a random 4 character EXE) will be dropped to the %appdata% folder of the currently logged on user:
This file will try to connect to api.wipmania.com, waiting for instructions. Additionally, it tries to connect to the following IP addresses:
Now, how do we know how it spreads and which messages it can display? The file extracted from the ZIP archive -skype_05102012_image.exe looks for the following processes:
It will then automatically send a message, based on the OS language. It uses the following list to spread:
tas ir jusu jauna profila bildes?
seo do grianghraf prl nua?
ont uusi profiilikuva?
nai aft a fotografa profl sas?
sa kvo profili lusankary aquesta
s la teva nova foto de perfil?
hey ito sa iyong larawan sa profile?
hey lanh tieu cua ban?
hey ini foto profil?
hei zhni de gn zilio zhopin ma?
ni phaph porfil khxng khun?
hej er det din nye profil billede?
hej je to vasa nova slika profila?
hej je to tvuj nov obr zek profilu?
hei er dette din nye profil bilde?
hey la tua immagine del profilo nuovo?
hej to jest twj nowy obraz profil?
hej jeli ovo vasa nova profil skila?
hey bu yeni profil pic?
hej detta är din nya profilbild?
tung, cka paske lyp ti nket fotografi?
moin , kaum zu glauben was für schöne fotos von dir auf deinem profil
hey is dit je nieuwe profielfoto?
ez az j profil ksta tu foto de perfil nuevo?
hey essa sua foto de perfil? rsrsrsrsrsrsrs
hey c’est votre nouvelle photo de profil?
hoi schoni fotis hesch du uf dim profil ppe n
lol is this your new profile pic?
It will then add the link and subsequently adds your username after the equals ‘=’ sign :
The malware is identified by Panda as W32/SpySkype.G.worm and spreads via removable drives, instant messaging programs, and social networks. Some variants could get user names and passwords, and block websites related to security updates. It may also launch a limited denial of service (DoS) attack.
On our test machines there was no additional malware downloaded, even after replicating a few times. Several variants of malware can however always be downloaded, whether it’s ransomware, rogueware….
Worms spreading through Facebook, Twitter as well as IRC, MSN and Skype is nothing new. Still, it appears to be very successful as human curiosity wins in cases of doubt:
“Do I really have (embarassing) pictures of myself on this website? Better take a look!”
No, no, no!
Never click on unknown links, especially when a URL shortener service like goo.gl is used. (others are for example t.co, bit.ly,tinyurl, etc.)
Don’t be fooled by known icons or “legit” file descriptions, this can easily be altered.
Even if you clicked the link and you’re not suspicious, you should be when a file is downloaded and no pictures are shown, but just an EXE file.
Keep your antivirus always updated. Here you will find a free 6-month trial of Panda Cloud Antivirus Pro.
I would like to thank our colleague Bart Parys http://www.twitter.com/bartblaze, (Panda Security Benelux)