|
Multilingual Worm Attacks Skype Users |
|
|
|
Written by Adam Gosling
|
|
Wednesday, 12 September 2007 |
Skype users need to be wary of chat messages from friends purporting to link to funny or naughty pictures - it is the malware writers that are naughty as the links direct users, not to pornographic images, but to infected websites.
"The new week has started with a bang. And not the kind of bang we like," said Skype blogger Villu Arak in his Heartbeat blog.
The worm, called different names by different security companies
arrives from a person who may not even be in your contact list urging
you to click on a link that appears to be a link to an .jpg image, but instead users are directed to an infected website.
According to reports the worm checks the language settings of each
target PC and translates its message into the appropriate language
including Latvian,
Russian and English.
Instead of the expected picture, the
Windows Run/Save dialog box pops up, asking for permission to save
or run a .scr file. This is the virus file and should not be downloaded
or run.
If
it is run, the target PC is infected with the virus which uses Skype's
public
Application Program Interface (API) to access the PC and will attempt
to pass on the Worm by sending a chat message to other Skype users
asking them to click the infected link.
Arak said there are several versions of the chat message and it "is cleverly written and may appear
to be a legitimate chat message, which may fool some users into
clicking on the link".
The worm tries to shut down the user's security software and
attacks the PCs Hosts file in a way which stops the security software
updating. It also reportedly adds
applications to the approved programs that work with the Skype list,
according to reports. One of these attempts to steal
personal information.
When the worm runs it displays the Windows standard desktop background 'bubbles' to disguise what it is doing.
Arak said Skype has been in contact with the leading antivirus software
companies about the worm and many have already updating their
software to effectively stop this worm and its side effects.
Expert users can also remove the worm manually, he advises, by following the procedure below.
- Restart the PC in safe mode
- Run regedit
- Go to HKLM/software/microsoft/windows/currentversion/runonce find entry
with mshtmldat32.exe. Delete this entry.
- Go to Windows\System32 directory and delete following files:
wndrivs32.exe, mshtmldat32.exe, winlgcvers.exe, sdrivew32.exe
- Go to windows/system32/drivers/etc
- Find file hosts
- Open it with notepad, ctrl+a and delete all entries (this will resume your antivirus updates), save, close.
- Restart the PC.
You can find a list of the chat messages sent here.
Related news items Older news items
|
|
|
|
