Folks at Skype submitted to us for analysis a piece of malware that is currently spreading using their application. The said malware, which Trend Micro detects as WORM_SKIPI.A, sends messages via Skype’s chat feature. The messages it sends contain a link that alleges to be a picture waiting to be downloaded. Below is a screenshot of a message exchange:
Some of the links that are used by this worm are displayed as follows:
Note that the supposed file to be downloaded is DSC027.JPG. However, the above links actually point to the following URLs, where a copy of this worm named DSC027.SCR is located:
Once the worm copy is downloaded and executed on the system, it displays the following image:
This worm also modifies the status of the affected user from Online to Do Not Disturb or Invisible. Additionally, this worm prevents access to several antivirus-related Web sites. It does the said routine by modifying the HOSTS file, as seen below:
Trend Micro already detects this worm via the latest pattern, while the URLs are already blocked by the In-the-cloud Filtering Service. We strongly advise Skype users to be wary of messages inviting to click any link. In addition, considering the number of users of Skype (estimated to be around 220 million), this worm may skip and spread to a huge number of Skype contacts.
Data provided by Loucif Kharouni. Additional information provided by Ivan Macalintal.