Only a few days after the emergence of the worm spreading via Yahoo! Messenger (Ymfocard), we have detected a new and more sophisticated wave of attacks targeting both Skype and Yahoo! Messenger.
Messages with different contents sent via Skype
Still using the method of inserting malicious URLs into chat windows like Ymfocard, however, social engineering skill of the Worm, this time, is much more sophisticated than the previous one.
Each time spreading, the messages sent by the Worm have different contents, for example, "Does my new hair style look good? bad? perfect?", "My printer is about to be thrown through a window if this pic won’t come our right. You see anything wrong with it?"... The users are more easily tricked into clicking the link by these messages, because users tend to think that "their friend(s)" are asking for advices. Moreover, the URL shows a .JPG file to users, reinforcing the users' thought of an image file.
If an user clicks the link, his browser will immediately load to a website with Rapidshare-like interface, and a .zip file will be available for download.
A .zip file is available for download
The extracted file is actually an executable file with .com extension. However, this file is disguised as a .JPG file and cleverly covered as a .com domain (where the file is hosted).
After analyzing the worm, we find out that the worm has more compilicated functions and operations than Ymfocard. The worm:
- Automatically exits if the victim's computer is not installed with Skype or Yahoo! Messenger.
- Automatically sends messages with different contents containing malicious URLs to user names in Skype/Yahoo! Messenger friend list of the user
- Automatically injects malicious link in to Word, Excel files or email that being composed.
- Connects to IRC server to receive commands from hacker
- Blocks operations of antivirus software
- Anti virtual machine and sandbox
- Uses rootkit technique to hide its files and processes
- Prevents users from accessing more than 700 websites of security or antivirus
- Automatically copies itself along with file Autorun.inf into USB drives to spread
Bkav has detected this Worm as W32.Skyhoo.Worm
Once again, we would recommend IM users to be careful before clicking any links received, even from your friends or relatives. Besides, users should regularly update their antivirus softwares on their computers.