Worm exploits a new form of social engineering via Skype

    The new worm is using the Skype network to spread. Two security companies have reported the new variant of the Warezov/Stration.  The malware uses the popular VoIP and instant messaging (IM) network to attempt to con its users into clicking on a weblink with the lure “Check up this”. The worm was dubbed ‘Skypezov’ by F-Secure three weeks ago, but it was noticed more recently by Websense in a new variant.

Websense offers a few details about the worm:

* users receive messages via Skype Chat to download and run a file
* the filename is called sp.exe
* assuming the file is run it appears to drop and run a password stealing Trojan Horse
* the file also appears to run another set of code that uses Skype to propagate the original file
* the file is packed and has anti-debugging routines (NTKrnl Secure Suite packer)
* the file connects to a remote server for additional code
* the original site has been black holed and is not serving the code anymore
* the number of victims is still TBD
* the original infections appear to be in APAC region (Korea in particular)

    Researchers and security analysts are confirming this worm is not targeting Skype, but is spreading through it by links, and downloads of an exe file named sp.exe. If the exe is ran, it will install a password sniffing Trojan that records and steals passwords. A separate set of code will also run which spreads this worm. In addition Websense reports, the SMTP Yahoo element of the latest version of the malware appears not to function correctly because the server is no longer working, but the program is still able to harness a user’s Skype contacts to attempt to spread itself to new victims. There is no vulnerability in Skype itself, the worm exploits a new form of social engineering. As with other instant messaging programs, the chances are users will be more trusting of messages that appear to come from known individuals, and click on the link.

Mikko Hypponen, F-Secure's chief research officer, wrote in a blog: "What's clear is there's no massive worm outbreak with Skype at the moment" and F-Secure will continue to monitor the situation

Symantec named it W32.Chatosky, samples were tested and confirmed to have originated in the APAC region, with Korea being the main country of origin. WebSense reports on their blog that the worm uses the NTKrnl Secure Suite packer, which is an encryption program that makes the files packaged look unique to detection engines.