Another Skype worm has been released that spreads by sending a malware link to online friends in Skype users’ contact lists. Before sending a message containing the malware link, the Trojan sets the infected user’s status to Do Not Disturb and, as a side effect, silences call or message alerts. F-Secure has a screenshot of that warning message here.
Once a user has clicked on the malware link and downloaded and executed the file, a picture of a scantily clad woman pops up. F-Secure has a screenshot of that at the same location as the screenshot of the warning message, but it’s a fuzzy rendition.
F-Secure is speculating that the worm’s motive is to promote the following list of sites, all of which read like a promotional message for tourism in Africa and supposedly sponsored by the “ThinkQuest team:”
http://aras.lookingat.us/index.htm http://asilas.my-php.net/index.html http://bobodada.3-hosting.net/index.html http://bobos45.bebto.com/index.html http://gogo442.hatesit.com/index.html http://jackdaniels.110mb.com/index.html http://timboss.1majorhost.com/index.html http://zozole.php0h.com/index.html
This site, which F-Secure hypothesizes may be an infected-user counter or a means of quantifying the malware writer’s profit, is also visited: http://aras.allfreehost.net/cal[REMOVED]nt.php “Who knows, malware nowadays are mostly driven and motivated financially,” according to F-Secure’s posting.
Other recent malware to hitch a ride on the free Skype VOIP service has included a Trojan named Warezov or Stration that used contact lists to spread to users’ friends, family and colleagues in late March.
The incidents are proof that researchers have been right when they’ve grumbled about Skype as a security risk, which they’ve been doing for some time. In June 2006, security firm Bit9 included Skype on a list of widely used applications that escape enterprise IT notice yet which, if left unpatched, make the programs a bigger threat to enterprise networks than malicious software.