Skype Worm Actually a Trojan Horse

Apparently, there is some confusion concerning the Skype worm I posted about yesterday, Websense now says it is a Trojan horse and it is not exploiting anything, it is just using the chat portion to send the file.

Yesterday Websense Security Labs reported on our blog that there was a potential Worm propagating via Skype (see: http://www.websense.com/securitylabs/blog/blog.php?BlogID=101). After investigation we have discovered that this is not a self propagating worm and is actually a Trojan Horse.

After discussions with the very helpful Skype security team, the behavior of this Trojan using the Skype API is as per the specifications of the API. The end-user who is running Skype does get notified that a program is attempting to access it and must acknowledge it. Source: Websense

Here is what F-Secure says about it.

  • There is no massive outbreak going on
  • There is something spreading on [tag]Skype[/tag], but only in limited numbers
  • It is not exploiting a vulnerability in Skype but simply sending chat messages asking you to download and run the infected executable
  • There are two different and separate malware samples being talked about relating to this case, confusing things further
  • One of them is named “sp.exe”. We received a sample of this yesterday and added detection. This one is connecting to nsdf.no-ip.biz in its attempt to download additional components
  • The other one is described in here. This one downloads additional components from marx2.altervista.org, and it’s actually not new at all: we’ve detected it since beginning of October.

Source: F-Secure

So, this puppy will probably start showing up using some other chat programs, and is probably one of many variants to come. As we all know, these guys are getting lazy and just pumping crap out into the internet hoping to snag a few users.