New Worm, W32.Chatosky, Using Skype to Infect Users

A new worm is spreading it way around the internet using Skype, the first, I believe to use Skype, although I could be wrong, this virus affects all these versions of Windows, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP. So, pretty much , all of them but the newest and the oldest.

Here is the info Websense has o it,

  • users receive messages via Skype Chat to download and run a file
  • the filename is called sp.exe
  • assuming the file is run it appears to drop and run a password stealing Trojan Horse
  • the file also appears to run another set of code that uses Skype to propagate the original file
  • the file is packed and has anti-debugging routines (NTKrnl Secure Suite packer)
  • the file connects to a remote server for additional code
  • the original site has been black holed and is not serving the code anymore
  • the number of victims is still TBD
  • the original infections appear to be in APAC region (Korea in particular)

Source: Websense

Symantec has more info on their site, and they are calling it W32.Chatosky.

When W32.Chatosky is executed, it performs the following actions:

Searches the registry for the location of the Skype application.

Displays the following message and then exits if it cannot find the registry:

Error!
I could not find Skype !

Executes the Skype application and displays the following message if it finds the registry:

Warning!
Allow this program in skype!

Queries Skype for random users every 3 minutes.

Starts the Skype application and sends the following message to the users:

Check this! Here is where it displays a url containing the worm body.
Source: Symantec

To remove it, disable System Restore (Windows Me/XP), update the virus definitions and run a full system scan.