Friday, March 23, 2007

Trojan Spreading Via Skype

March 23, 2007 3:53 PM

A Trojan is using the free Skype VOIP service to spread to users' friends, family and colleagues, Websense Security Labs reported on March 22.

The Trojan, a copy of the Trojan named Warezov or Stration, is not propagating itself. However, when it runs, its sends a URL to all users within the victim's Contacts list, according to Websense.

An earlier version of the same attack hit Skype in late February, as reported by F-Secure. This latest rendition differs in that it's carrying new URL information and a new version of the malicious code.

Websense reports that Skype users are receiving a message that says "Check up this," with a URL containing a hyperlink. Websense's advisory contains a sanitized screenshot at the bottom.

Users who click on the link are redirected to a site hosting a file named file_01.exe. Users are then prompted to run the file. If the user does so, the Trojan downloads and runs several other files. Websense notes that there is no Skype vulnerability at play in this attack.

Below are the files the Trojan loads from different domains, according to Websense. The domains were up and running at the time of Websense's Thursday alert:

1e61617b7498c5cad41c4d26b8e4ca8c file_01.exe
7c2b181ab4fbe858e22bbbdc725e4f53 gdi32.exe
7306bed6c39560ed78fe67cfc5e643c8 ndis.exe
5262a217d2ca7f28be6fc398d8f8aee3 sk.exe

The victim's contacts also receive the URL within Skype. After the Trojan hitches itself to a system, it tries to connect to a Yahoo mail server to send an SMTP message. However, that server appears inoperative, and the communication fails. Websense conjectures that the inoperability is "probably an attempt to notify the attacker that a certain machine has been infected."

The other files downloaded by the Trojan are alternate versions of the Warezov/Stration malicious code. The code opens backdoors to victims' systems and also downloads new code.