Wednesday, September 12, 2007

A Skype Worm: W32/Ramex.A or W32/Pykse.worm.b .

What did I predict about a year ago: A Skype worm that could connect by his own to your other contacts and spread by the use of the Skype VOIP network?
Well we've got it ... in some way.
Skype users are under attack from a new worm that spreads through the peer-to-peer Internet phone application's chat feature. The attack begins when a user receives an instant message containing a link from someone in their contact list or an unknown Skype user. There are several versions of the chat messages, which are cleverly written to fool users. The link appears to contain a JPEG photo file, but if clicked causes the Windows run/save dialog box to appear, which asks whether the user wants to save or run a ".scr" file. The file is malicious software that can then access a user's PC via Skype's API (application programming interface). The malicious file has been named W32/Ramex.A or W32/Pykse.worm.b . Users whose computers are infected with this virus will send a chat message to other Skype users asking them to click on a web link that can infect their computers.
Of course it's not exactly what I was thinking of a year ago but it came very close this time. Most AV vendors got an update now however cleaning seems not always be so straightforward as the worm has some clever blocking features to stop the cleaning.
I must say that we don't see a lot of infections over here.