New Worm, W32.Chatosky, Using Skype to Infect Users
A new worm is spreading it way around the internet using Skype, the first, I believe to use Skype, although I could be wrong, this virus affects all these versions of Windows, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP. So, pretty much , all of them but the newest and the oldest.
Here is the info Websense has o it,
- users receive messages via Skype Chat to download and run a file
- the filename is called sp.exe
- assuming the file is run it appears to drop and run a password stealing Trojan Horse
- the file also appears to run another set of code that uses Skype to propagate the original file
- the file is packed and has anti-debugging routines (NTKrnl Secure Suite packer)
- the file connects to a remote server for additional code
- the original site has been black holed and is not serving the code anymore
- the number of victims is still TBD
- the original infections appear to be in APAC region (Korea in particular)
Symantec has more info on their site, and they are calling it W32.Chatosky.
When W32.Chatosky is executed, it performs the following actions:
Searches the registry for the location of the Skype application.
Displays the following message and then exits if it cannot find the registry:
I could not find Skype !
Executes the Skype application and displays the following message if it finds the registry:
Allow this program in skype!
Queries Skype for random users every 3 minutes.
Starts the Skype application and sends the following message to the users:
Check this! Here is where it displays a url containing the worm body.
To remove it, disable System Restore (Windows Me/XP), update the virus definitions and run a full system scan.