Shylock malware which spreads via Skype is not the only threat that users should be worried about. We found another worm that takes advantage of Skype to spread copies of itself.
Reports of Shylock malware found on certain Skype messages was a hot topic last week. We looked into the related samples and based on our analysis, the malware (detected as WORM_BUBLIK.GX) downloads and loads additional plugins that include {C&C}/files/010-update-vl0d3/msg.gsm (detected as WORM_KEPSY.A). Once executed, this malicious plugin has the ability to clear Skype message history.
The other threat we found on Skype, detected as WORM_PHORPIEX.JZ, drops copies of itself in all removable drives. Similar to WORM_BUBLIK.GX, users may encounter this threat as a Skype message with links to the malware. WORM_PHORPIEX.JZ connects to specific Internet Relay Chat (IRC) servers and joins the channel #go. It also downloads and executes other malware onto the system and sends email messages containing an attachment, which is actually a copy of itself.
WORM_PHORPIEX.JZ also downloads the plugin WORM_PESKY.A, which generates the Skype message containing the following details:
We looked into the number of infections for WORM_PHORPIEX using Trend Micro™ Smart Network Protection™ feedback and found out that 83% of infected machines came from Japan.
Skype is no stranger to web threats
Skype, unfortunately, is no stranger to worms. Last year, we blogged about certain messages containing links leading to DORKBOT variant. The malware (detected as WORM_DORKBOT.DN) allows a remote user to take control over the infected system, steal information, and may initiate distributed denial-of-service (DDoS) attacks. It can also download other malware onto the system, including click-fraud malware and the notorious ransomware.
These strings of threats aimed at Skype pose serious risks, not just for ordinary users, but also for small businesses benefiting from the platform. Last year, Skype announced its Skype in the Workspace (SITW), a site that caters particularly to small-scale businesses. Around 500 small businesses have already started using SITW since the site’s beta testing. Furthermore, Microsoft is reportedly closing down Windows Messenger on March 15, 2013 and recommends switching to Skype. As such, this poses risks especially to first-time Skype users and with DORKBOT and now, Shylock variants spreading via Skype, users and businesses alike should have a more security-conscious mindset when it comes to using Skype.
To stay safe, users must refrain from clicking links found in instant messages, specially those from unknown or unverified sources. Trend Micro protects users from this threat via Smart Protection Network™, which detects related malware if detected on a system.
