Skype Worm Infects Windows PCs

walterbays writes with news of a worm spreading to Windows PCs through Skype's IM. The worm is variously called Ramex.a and Pykspa.d. A poster on a Skype forum explains how to remove it. "After hijacking contacts from an infected machine's Skype software, it sends messages to those people that include a live link. Recipients who blithely click on the URL — which poses as a JPG image but is actually a download to a file with the .scr extension — wind up infected."

Worm?

[Hatta]

Recipients who blithely click on the URL -- which poses as a JPG image but is actually a download to a file with the .scr extension -- wind up infected.

I'm sure I won't be the first to point out that such an attack vector is not a worm.

Re:Worm?

Given the IQ of some of the Windows users, maybe it is, because it is automated since they aren't thinking :P

Re:Worm?

Given your position of first post, I can't see how you could be anything but the first to point out this.

Re:Worm?

[someone1234]

And it is not a Skype trojan either.
Any other email/im could be a vector for it.

Re:Worm?

[Bill,+Shooter+of+Bul]

That is a good point, and I must admit I thought that as well ... at first. Then I started thinking, How long is something really first? Is something first always first? Like the first European to visit the Americas, Columbus. He was first, but only for 400 odd years before we discovered that the vikings were the first. Also, one can never be so certain that time travel will never exist. Therefore, all of our first records in any given field may be only temporary, before some one from the future comes back and does it first.

I applaud the gp's modesty, and four dimensional thinking. I think we should all be a little more considerate of our resources, both natural and produced, in light of the fact that they may belong to someone else before us, in the future.

Re:Worm?

[Doctor-Optimal]

Ooh, a lesson in not changing history from mister "I'm-my-own-grandpa"!

Re:Worm?

[Thaelon]

As if he knew he'd be the first post!

Look how many keystrokes are in that baby!

You'd have to be a ninja to say all that and still be first.

Re:Worm?

[Suhas]

> You'd have to be a pirate to say all that and still be first.

There, fixed that for ya.

Re:Worm?

[badran]

Well at least he is immune .........I cannot think...Those braijasdf.. glowwy things are nice...

Re:Worm?

[Hatta]

You know, I thought about adding something like "unless this is the first post". I'm glad I didn't.

"blithely"

[Gothmolly]

I'm not sure how many Skype users would "blithely" click on anything.

Re:"blithely"

Considering the definition and my general knowledge from doing tech support, I'd say just about all of them:

blithely:
1- of a happy lighthearted character or disposition
2- lacking due thought or consideration

Lovely

[MechaShiva]

Ramex.a/Pykspa.d injects code into the Explorer.exe process to force it to run the actual malware -- a file named wndrivsd32.exe -- periodically, wrote an infected user on a Skype message forum today. The worm also plugs in bogus entries in the Windows hosts file so that installed security software won't be able to retrieve updates.

No mention of if this is just piggybacking a windows exploit or is it purely the result of Skype being craptastic. Also, gotta wonder how/if it effects a properly patched windows xp machine and/or vista. In any event, sounds like fun.

Re:Lovely

[SnoopJeDi]

I got the impression that Skype is only the means of passing on the infection.

Re:Lovely

[recoiledsnake]

It does not "inject code" into Explorer any more than Notepad injects code into Explorer to run itself. An "infected user" is probably not the right person to listen to in such technical matters. FSecure has complete details on it if you're really interested here

Re:Lovely

[Peaker]

It does not "inject code" into Explorer any more than Notepad injects code into Explorer to run itself. An "infected user" is probably not the right person to listen to in such technical matters. FSecure has complete details on it if you're really interested here

Heh, I am Eyal. I admit I was "infected". Basically I clicked the "scr" link because I foolishly trusted the source of the message to be who it was, did not read the contents before clicking, I don't really give much of a damn about this Windows box, and I forgot that the "scr" extension was executable, and not just an image file (which is typically a less likely attack vector).

I assumed that since the Explorer.exe was unmodified, but explorer.exe is respawning the virus/worm's executable, that it modified Explorer's behavior in some way, perhaps by code injection. It was just speculation, ofcourse and obviously there are simpler ways to get explorer.exe to respawn your process, but it really is an unimportant detail.

Re:Lovely

[IhuntCIA]

Also, gotta wonder how/if it effects a properly patched windows xp machine and/or vista. I do not update or patch WindowsXP SP2. I do shut down unneeded services, I use SpybotSD to immunize Internet Explorer and I do tweak windows not to do this or that. I use the firewall to control programs, and have no resident virus scanning programs. I never use the Internet Explorer or Outlook.

I use skype every day. Yesterday I have been spammed on pure geek English from my non English speaking friend to open some links like www.fakeit.org/somethig/~blahblah/funny.jpg while he was DND. I know that he would never speak / type to me in English, so it was clearly a virus.
I have fair collection of so called "viruses". I wanted damn copy of it without getting infected. I did try following:
1. download it with flashget. Failed. FlashGet reported that connection has been refused or terminated at the other side or something like that.
2. download the link using the Netscape 8.1.3 ( the last Netscape ). Failed again. Netscape reported that link/site is known malware.
I did not try to shutdown the firewall, or to disable the proxy, but something prevented the safe download of the file.

A lame and quick fix would be to update the Skype not to show any links containing the .exe at the end. I guess that M$ could do something about activating the .exe links, but it might not be their top priority ATM and it obviously was not for the last 12+ years.

Re:Lovely

[Raideen]

Explorer.exe becomes the parent of a process by default. Many trojans/spyware use svchost.exe to launch the respawn process. That process doesn't show up even in Process Explorer (much less Task Manager) and is what keeps the malware alive. Then the respawn process will launch the actual payload, which you see as a child process of explorer.exe. How are you confirming that it is explorer.exe that's actually spawning the processes? You could run Process Explorer, kill explorer.exe, kill the malware, and see if it still respawns. Just because explorer.exe actually touches the malware file, it doesn't mean that it's spawning it.

Re:Lovely

[Peaker]

That's exactly what I did. I killed explorer.exe, and the respawning stopped.

F-Secure info

[CXI]

F-Secure has information as well.

Skype itself is blameless

[ZwJGR]

Skype itself is (mostly) blameless, how can they be expected to protect users from this sort of attack (perhaps by pointing out to users that the link/download they're clicking on is a screensaver exe..., but Windows ought to tell you that anyway...)
Naming it a worm is a minor overstatement as well.
It propagates by user incompetence, not by a technical flaw...

These sort of malware executables circulate on email lists (and I daresay, other IM networks) already, so it's no surprise that Skype has "joined the club" of being big enough to attract unwanted attention...

Re:Skype itself is blameless

[jimicus]

It propagates by user incompetence, not by a technical flaw...

If the last 8-10 years have taught the IT industry nothing else, we should at least be well aware by now that basing your security on "user never does anything stupid" is a pretty effective way to ensure that the user's system will be emailing everyone and his dog adverts for Geniun Vigara!!!111 (sic) by the end of the day.

Re:Skype itself is blameless

[gowen]

Skype itself is (mostly) blameless

You what? Their program runs executable content from a URL without a warning or asking for confirmation. That's insanely bad design.

Re:Skype itself is blameless

[recoiledsnake]

So what solution do you propose to stop stupid users from hurting themselves, but without severely restricting or inconveniencing their activities? I mean, it's fashionable to bash the IT industry, but can you come up with a solution?

Re:Skype itself is blameless

[recoiledsnake]

The saddest part about Slashdot is that people read the summary or sometimes a misleading articles, assume things and then comment away which is modded up by moderators who don't have much clue either. Then you see someone picking out holes in the summary and article and usually getting modded up(a good thing!). And then one looks at all the modded up wrong comments and thinks "WTF were these people thinking up when they were posting/modding up this crap?"

All Skype does is auto link URLs and make them launch in the default browser on the machine, just like almost every modern IM app does whenever you send them a link. The link looks like it's a JPG but is a .SCR, which infects the user only if they click "Run" in the dialog opened up by the browser(IE, FF, Opera, Safari etc.) According to your logic, it's Slashdot's fault if someone links to a virus EXE here and some clueless readers run it and then the virus autoappends a link to the posts that the Slashdot user posts.

Re:Skype itself is blameless

[dc29A]

So what solution do you propose to stop stupid users from hurting themselves, but without severely restricting or inconveniencing their activities? I mean, it's fashionable to bash the IT industry, but can you come up with a solution? Why develop a solution for a non IT problem? The problem is that everyone and their dogs are running Windows as administrators. The solution is simple: educate the masses about NOT running their boxes as administrators. The security framework is already in Windows.

There, I solved your problem.

Re:Skype itself is blameless

[jimicus]

The problem is that everyone and their dogs are running Windows as administrators.

There is still a fair bit of software which requires you run it as an administrator. Or if it doesn't, it doesn't exactly make life easy for those who'd like to run it as a non-admin account.

There is also the Windows XP (don't know if Vista does the same thing, but I doubt it... finally) "feature" where it prompts you to create a user account at install time, explaining that this is "good practise". And then it immediately gives that account administrative privileges.

And even if those things weren't a problem, it still wouldn't prevent the user from running a program which spread in this fashion. About the only thing the program couldn't do is write to some areas of the hard disk and listen for TCP services on a port 1024. Neither of which are of particularly great concern to any malware author today, both of which could just as easily be done on Mac OS X or Linux.

Re:Skype itself is blameless

[recoiledsnake]

That is not really a solution. What if the user wants to install programs that legitimately need admin access(Eg. Virus scanners, graphics drivers, etc) ? And don't mention badly written apps and games that need admin access to run with no reason. With your solution they will have to logout and then login as an admin, which they won't put up with.

Microsoft already tried to solve this in Vista. Even administrators run with user credentials until they need Admin access at which point they are hit with a UAC prompt which people already whine about and you want people to run only with user credentials?

Re:Skype itself is blameless

[haeger]

Yet we happily run around screaming "Linux has no viruses", effectivly teaching our users to not be careful. And almost anything configuration-like we want to do requires a root-like password, effectivly teaching everyone to be careless with that too.

We've got to start looking out or we will have our shiney metal asses bitten.

 

.haeger

Re:Skype itself is blameless

[walterbays]

Regardless of how much blame goes to Microsoft, to Skype, and to users for running unknown executables, all of them are harmed by it and have an interest in fixing it. For users the best thing is just to take this as another warning to be careful what you click on. Myself I just try not to use Windows or Explorer, *and* try to be careful with Firefox. Though the best fix could come from Microsoft not allowing arbitrary untrusted code to be run, Skype could intercept suspicious links and add some advice - just to avoid being blamed, fairly or unfairly.

Re:Skype itself is blameless

[jimicus]

We've got to start looking out or we will have our shiney metal asses bitten.

I know. Bloody wonderful, isn't it?

The best bit is that every time someone points out that Linux having no viruses does not make it immune from malware, they're silenced by being modded and shouted down as a traditional "file-infector" type virus cannot and does not thrive on the platform.

I'm going to pre-empt that here and now. I'm even going to shout it in the hope that it will get the point across.


THE TRADITIONAL "EXECUTABLE FILE INFECTOR"-TYPE VIRUS IS ALL BUT EXTINCT AND HAS BEEN FOR YEARS. IT HAS BEEN REPLACED WITH TROJANS AND WORMS, NEITHER OF WHICH DEPEND ON INFECTING EXECUTABLE FILES AS A TRANSMISSION VECTOR.

Re:Skype itself is blameless

[recoiledsnake]

Though the best fix could come from Microsoft not allowing arbitrary untrusted code to be run.. The second that there is even a hint of MS doing that, everyone on Slashdot would cry wolf about MS and DRM blocking access to what the user wants. That is exactly what happened with Trusted Computing. And who gets to decide what is trusted code and what is not? Will small software vendors have to pay to get their code certified? And will I be prevented from running code that I or a friend made?

Re:Skype itself is blameless

[walterbays]

You're right that people will criticize Microsoft whatever they do.

> who gets to decide what is trusted code and what is not? Will small software vendors have to pay

I like the security model of Java Web Start (disclaimer: I work for Sun) where you decide who you trust, and they can earn your trust by paying for a security certificate from a trusted commercial issuing authority, or they can self certify with a certificate from Thawte and earn your trust in other ways. I could imagine a PGP style web of trust relationships where I might authorize my system to run code from sources sufficiently trusted by people who I trusted.

Of course all my friends could get fooled, and draw me into a trap, and my other friends after me. But that's the same as if I trust an auto mechanic because you recommended him and I trust you.

Re:Skype itself is blameless

AND WORMS, NEITHER OF WHICH DEPEND ON INFECTING EXECUTABLE FILES AS A TRANSMISSION VECTOR.

But it does require that the operating system tries to execute a file based solely on file extension - doesn't it? Executable bits don't travel well in the Unix world.

Re:Skype itself is blameless

[DrSkwid]

1. Run as restricted user
2. Double click on the clock to get the calendar / analogue clock
3. Call the Administrator to find out why you don't have permission to open the clock !
4. Listen bemusedly to the Administrator tell you that you can't look at the calendar because you don't have permission to change the system time.
5. Complain that you don't want to *change* the time, just look at it!
6. ???
7. Non-profit

Re:Skype itself is blameless

[DrSkwid]

You can scream all you like, happy or not.
Lunix is insecure be design.
Root is a design fault.
That's why it got removed in the next version.

Re:Skype itself is blameless

My dog runs linux, you insensitive clod.

Amazing

[iamacat]

That Windows still allows un-sandboxed executables to be run just by clicking on a link. Yes, this is technically responsibility of Skype, but it probably just uses a stock COM control to handle to URL.

Re:Amazing

[Gothmolly]

Any Unix GUI environment could allow this as well.

ClickMe.sh

For instance, could hose up your home directory and data pretty badly, if say, KDE's shell ran shell scripts when clicked.

Re:Amazing

[recoiledsnake]

Uh. IE7 on Vista runs in a sandbox(note that this is to mitigate the damage caused by buffer overflows in IE code and not intended to sandbox executable/virus code), and warns you square whenever that boundary is breached(by opening a PDF, EXE or SCR, for example). Additionally, if the EXE requests admin privileges(required to install a rootkit, for example), the infamous UAC dialog appears. And if someone gives admin access when they wanted to view a JPEG, how is it Windows' or Skype's fault? Also, most versions of windows I have used(since 95) ask before opening executable files(even .SCR) So, Windows does not "still" allow un-sandboxed applications to run just clicking links. If users expect a JPEG but get a .scr or exe they have plenty of time/opportunity to click NO. This is not Windows or Skype's fault. It's just clueless users getting owned.

Re:Amazing

[jawtheshark]

Also, most versions of windows I have used(since 95) ask before opening executable files(even .SCR)

You clearly don't remember the Outlook Midi exploit.

Re:Amazing

[recoiledsnake]

Two things. Firstly, MIDI are not "executable" files, like .EXE, .COM, .SCR, or .PIF

Second, I meant to say browsers in the versions of Windows(this is what TFA is about) and not other apps like Outlook. But, point taken.

Re:Amazing

[jawtheshark]

Ehm, you really don't remember, do you? There was functionality in Outlook that allowed emails to run midis, except it didn't check the MIME type and ran whatever declared itself as being a midi, including EXE, COM, SRC and PIF. So, the person opening those emails got infected by "just opening the email"

That was back in the day that we computer scientists were laughing at those "open an email and get virus emails". We didn't count with Outlook.... *sigh* That was a long time ago...

Re:Amazing

[KiloByte]

Any Unix GUI environment could allow this as well.

ClickMe.sh You forgot:
chmod a+x ClickMe.sh
Even the GUI version of the above requires at least 5 clicks in Gnome, and I guess about as much in KDE.

Re:Amazing

[SEMW]

...warns you square whenever that boundary is breached(by opening a PDF, EXE or SCR, for example). Additionally, if the EXE requests admin privileges(required to install a rootkit, for example), the infamous UAC dialog appears. Actually, technically the first dialogue is a UAC dialogue as well. The "sandbox mode" is really just another privilege level; just a really low one -- much lower than standard user -- so the normal "sandbox dialogue" is an elevation request from "really low" to "standard user".

Incidentally, that's another reason why it's a bad idea to turn off UAC.

Re:Amazing

[DrSkwid]

There was also a buffer overrun in the Date: parsing, no need to open anything.
Then there was auto-executing HTML with embedded ActiveX controls and other documents.

Checking the MIME Type is hardly a security measure, it's just a header.
The only way to test a file is to process it with the application. Rememeber the recent MS image opening ownage.

Re:Amazing

UAC is still pointless to many people due to the fact the so many legit vendors don't sign their drivers, or give you any way to confirm what you downloaded is really what you wanted.
My niece got her machine trashed when installing a "new codec" for her media player.
I saw my wife the other day just click on a page it asked her to install a component, she clicked OK and blinly entered the admin password when asked. I asked here what she just installed, and she said "I don't know, it asks me this all the time".

This is just another one. Hey big news. If you just click on any old thing you might get infected with malware.

Software diversity is a good thing.

[Joseph+Vigneau]

This is a risk of a closed source end-to-end system like Skype. Other, standards-based VoIP technology (ie, SIP and friends) prevents worms like this from propagating. There are plenty of very good alternatives to Skype, but in the end, it seems worse is better.

Re:Software diversity is a good thing.

[abigor]

You have no idea what you're talking about.

Re:Software diversity is a good thing.

[Opportunist]

And how? By not implementing a messenging system the moron user can click and infect himself?

Where's Skype to blame if someone gets a link sent and clicks it without even trying to see what's behind it?

Re:Software diversity is a good thing.

And you are a buttfucking shitdick.

Re:Software diversity is a good thing.

[jhol13]

I do not know how this exploit goes exactly in Skype.

But please try this "exploit" in Firefox. It will not let you run the .scr, it will ask if you want to save it to disk or cancel. You *cannot* run in from Firefox. In Linux the .scr would be saved as non-executable. I'd imagine the same happens in Windows.

Re:Software diversity is a good thing.

[Opportunist]

Hmm... WWWD (what would Windows do)? Let's take a look at a stock .scr file.

Hmm... starts with "MZ", has a DOS-Stub, has a PE-Header, has PE-Sections... Yup, is a PE-Executable. I'd say, Windows would run it.

Snide comments aside, Screensavers ARE executables in Windows. That's what makes SCR such a popular extension for malware, nobody'd expect that. More important, screensavers are fun in and by themselves, so people will readily click them where they might not with a normal executable unless there's a good reason why they'd want to see what's inside.

I give you that it's not really a bright idea from Skype's deveilopers to allow running arbitrary executables from a download source. But do you think this would change if you were to save it first? Do you think it would keep a single idiot from running it?

Re:Software diversity is a good thing.

[jhol13]

Yes, I do think it would help. It would create an obstacle far higher than "click-yes-and-it-runs".

No, it would not stop determined idiot so most likely 90% of people would still get infected.

Re:Software diversity is a good thing.

[Opportunist]

A "solution" that helps one person and hampers 99 is none. I know it has tradition in Windows, but that doesn't make it right.

Obligatory Condom.

So does that mean Russians are dicks?

Skype's revenge

[Nimey]

They're getting back at all the people who rebooted last month.

FIXED

s/some of the //

blithely

[AbbyNormal]

blithely click my signature link for more information on this developing story!

Re:blithely

Lies. I didn't see anything.

Re:blithely

I would, but you blithely malformed the link.

Is there any chance this is related to outage?

[Thagg]

Three weeks ago, Skype was down for quite a while. Was it possible that it was not the benign "updating software" that they had previously reported? Perhaps it really was some kind of malicious attack.

An aquaintance of mine was hit by this today, he only ran Skype ever with his wife and daughter -- it seems hard to imagine how bad guys got ahold of his address, unless perhaps somebody downloaded the whole database.

Thad Beier

Re:Is there any chance this is related to outage?

[Rob+T+Firefly]

An aquaintance of mine was hit by this today, he only ran Skype ever with his wife and daughter -- it seems hard to imagine how bad guys got ahold of his address, unless perhaps somebody downloaded the whole database. Since the malware sends itself to those on an infected user's contact list, I would imagine that means he got it from either his wife or daughter.

Re:Is there any chance this is related to outage?

[jrl]

Or perhaps he got it from that nice young 16 year old he's been chatting with from the office.

Re:Is there any chance this is related to outage?

You could have said "here are some other Skype stories I remember seeing on Slashdot". But spin it in the form of "could this be related to..." and somehow people are more likely to mod you up.

Re:Is there any chance this is related to outage?

[LQ]

An aquaintance of mine was hit by this today, he only ran Skype ever with his wife and daughter -- it seems hard to imagine how bad guys got ahold of his address, unless perhaps somebody downloaded the whole database.

And the wife and daughter don't have other contacts? I guess this is just a standard address book trojan - six degrees of separation and all that.

Don't blame me.

[NotQuiteReal]

I always assume everyone is stupid.

I haven't been proven wrong, yet.

Re:Don't blame me.

[OK+PC]

Well I'll prove you!

Re:Don't blame me.

[AusIV]

I think that's a slight misquote. My father taught me

Always assume everyone is stupid.

You won't be disappointed.

There are plenty of people who won't screw up, but if you deal with the idiots before they have a chance to screw up, it will be easier than dealing with it later.

Re:Don't blame me.

I always assume everyone is stupid.

I haven't been proven wrong, yet.

You probably have been, but were too stupid to realise. Paradox ahoy!

Re:Don't blame me.

Your stupid

Microsoft's fault?

[sconeu]

With the default behavior of hiding the extension, XP leaves non-technically proficient users vulnerable to this.

Re:Microsoft's fault?

[recoiledsnake]

I fail to see how that behavior makes a difference here. The user clicks on a link that ends in .JPG, and the browser asks him to run or save an SCR file. No hiding the extension is involved here. If the user runs it, BAM. If he saves it, THEN he or someone else would not be able to see the extension and would run it(Though I think XP SP2 pops up a warning about it being a file from the internet zone, not sure if the full filename shows up in the warning though).

Hiding the extension is a very most annoying thing though, it's the first setting that I change on a new install of Windows.

Re:Microsoft's fault?

[everphilski]

With the default behavior of hiding the extension, XP leaves non-technically proficient users vulnerable to this.

I fail to see how a 'non-techinically proficient user' would notice the appropriate extension...

Re:Microsoft's fault?

[cbhacking]

I think XP SP2 pops up a warning about it being a file from the internet zone, not sure if the full filename shows up in the warning though It doesn't matter, since jpegs (non-executable data files in general) don't present that warning (The text of the warning is something along the line of "this type of file can harm your computer". Not to mention they would presumably notice the file type while downloading and cancel the download / delete the file. Of course, the fact that anybody GETS these warnings (I haven't gotten one in Skype, but I've seen a couple that were near-identical over AIM) means that there are people out there who are actually stupid enough to ignore the warning...

Hiding the extension is a very most annoying thing though, it's the first setting that I change on a new install of Windows. Agreed, although I actually change roughly half the options in Folder Settings. It's gotten better over time; 2000 you had to change almost all of them, XP only about 80%, Vista is down to nearly 50%. IE's default settings have gotten better too, especially with 7.

Re:Microsoft's fault?

The oldest trick in the book!

God if someone gets infected by this, they should be shot! Poor, poor Charles Darwin. Good thing he doesn't have to see this tragicomedy. And fucking M$ for making this possible... ...How fitting, the CAPTCHA was 'timeless'! Ha!

Re:Microsoft's fault?

[MillionthMonkey]

There are differing levels of technical proficiency; it's not an on/off thing. There are people who know enough not to click on .scr but who haven't found that stupid checkbox hiding in Folder Options. Think "myspace users".

What's really boneheaded is having to worry about clicking on screensaver links at all.

Re:Microsoft's fault?

[tsa]

Hiding the extension is a very most annoying thing though, it's the first setting that I change on a new install of Windows.

In OSX it's no different. But for some reason Steve's reality distortion field is so strong Mac users don't seem to care about it much.

Sweet merciful Jesus

[El+Savior]

How much of a lame brain must one be to fall for the same trick for the second time? A rethorical question, indeed.

Re:Sweet merciful Jesus

As a US president once said :- "There's an old saying in Tennessee -- I know it's in Texas, probably in Tennessee -- that says, fool me once, shame on -- shame on you. Fool me -- you can't get fooled again."

I don't know why

[MortenMW]

...but I am still surprised that people are stupid enough to click on random links.

Poor Skype...

[brouski]

Hasn't been the best two months for them, has it?

Interesting that Microsoft is, yet again, directly or indirectly, responsible for their misfortune.

Re:Poor Skype...

[initdeep]

Please explain how this is, directly or indirectly, Microsoft's fault. Is it because they don't prohibit the running of executable files period? Or is it because they don't require a competency test to own a computer? I'd like to know.

Re:Poor Skype...

[^_^x]

It's not even Skype's fault really... they support URLs.
I guess some would say it's MS' fault because they allow malicious code to run. Personally I think trying to hold them accountable for that kind of thing just makes subsequent versions of Windows even more restricted and unusable without properly "breaking them in." :/

Re:Poor Skype...

[drsmithy]

Interesting that Microsoft is, yet again, directly or indirectly, responsible for their misfortune.

Indeed. Just as interesting as how oxygen is, yet again, directorly or indirectly, responsible for their misfortune.

Glad I run Linux

Sadly, this damn work system is a windows box. Hmmm. Check out that pretty pix coming on skype. Pretty, pretty.

Social Engineering at its best

[Enrique1218]

I wondering what happen to all those malware writers. Dear God, I was afraid I would have to change my sig!!! Something like, "You don't have to be smart to use Windows, you just have to be smart enough to install it" Oh the freakin' horror! I shudder to type to type such a sig. Although, this one sounds more appropriate after RTFA, "You can't be dumb to use Windows, you just have to be dumb enough to install it"

Re:Social Engineering at its best

[Ossadagowah]

I wondering what happen to all those malware writers.

Someone set them up the bomb.

Re:Social Engineering at its best

[GameboyRMH]

Any ideas for sigs that don't offend people based on their OS choice? (Windows, Linux and MacOS are all useful in their own way). People say Windows users are simple computer-illiterate dimwits. People say Mac users are snooty fashion-oriented trust fund babies. People say Linux users are creepy antisocial basement dwellers. There's a negative stereotype for all of them, but the truth is there are intelligent people using any of them for good reasons, and you really don't seem like one of these people when you diss users of another OS based on nothing more than a silly stereotype.

The malware terminates a list of 534 processes.

[Futurepower(R)]

Wow. A LOT of work went into making that malware. According to the F-Secure page you linked, it terminates a list of 534 processes. Whoever is doing that is dedicated. Seems like such a person could make money honestly.

Re:The malware terminates a list of 534 processes.

[Peaker]

I wanted to run regedit even though this malware disallowed it, so I copied regedit.exe to re.exe and that worked. Not enough work went into it, appearantly :-)

Re:The malware terminates a list of 534 processes.

[myowntrueself]

Seems like such a person could make money honestly.

Anyone who can make $money honestly could make N * $money dishonestly.

How do you think corporatism works? :-P

Yet Again...

[RAMMS+EIN]

Yet again, us Linux users are left out. The program works only on Windows/x86. And here I am, on my glorious Linux/ppc box, just having painfully gotten Skype to work...and they introduce a new feature that I can't access...boohooo!

(I kid. I hate Skype passionately (for getting everybody on a proprietary solution when open protocols exist) and would never go through any amount of trouble to get it installed on my computer.)

Re:Yet Again...

[LingNoi]

Speak for yourself me and my girlfriend who is 8000 miles away have been trying numerous different voip and webcam services. I'm on Ubuntu with 1Mb and she's on Window's 56k at Home and a 1 Mb line at work.

It is a lot better then any other voip service Linux can offer. Ekiga sucks compared to Skype voice. Gtalk might be able to beat it in the future but the apps just arn't there and stable right now to support it out of the box. I found Ekiga which comes in a default Ubuntu install to be too quiet and doesn't work well on a 56k connection.

As for video I found Ekiga video to be faster then Yahoo or MSN but the quality wasn't as good as MSN and Ekiga didn't support my web cam properly so I only got the right hand corner of my webcam which would have been ok if it wasn't for the fact that it's difficult to know when people are online with Ekiga.

Yahoo webcam seemed to be the best choice by using gyachi but it can go up to 30% CPU usage with one person viewing my webcam.

To summarize..
GTalk - Apps still in dev - No video
MSN & AMSN - Didn't try audio - Was having problems with closed ports for video but when it was working about Good quality 1 frame every 2 seconds
Yahoo & Gyachi - Didn't try audio - Reasonable quality about 1 FPS sometimes it pauses and gives you 6 frames in super fast motion to catch up
Skype - Works great even on 56k - No video for Linux
Ekiga - Not good on 56k - Difficult to know when someone is online - Difficult to call them and they pick up

I am using a combination of Skype for Audio and Yahoo with Gyachi for webcam.

Re:Yet Again...

[Grishnakh]

8000 miles away? I think a simpler and better solution would be to just get a new girlfriend who lives nearby.

Worm, Bug, ???, Virus

Biological metaphors stick better, so we must change the name of "Trojans" (Trojan Horse) so media stops abusing the "Worm" term.

So, what do we call it.. Just "Horse"? Not threatening. Dragon is more scary, but it's gotta be a little bugger ("Bug", "Worm", "Virus"...). DragonFly? Or just Fly. Fly sucks though, maybe Wasp.

You see, if you're smart you see the yellow/black stripes and run away, but if you're not and tease it, it stings you.

"Skype Wasp Stings Windows PCs"

Yea, much better. If it sounds weird, don't worry, Firefox sounded weird too when we all knew it as Fire... uhmmm, well there we go, right?

I've seen this "worm" with my own eyes!

[Erikderzweite]

And I have actually clicked those links. But do nor worry about me and do not call me stupid. I just wanted to see, whether something new happen in the malware scene. Yet I was disappointed - same shitty *.scr binary file. I've seen this years before... Same stupidity-driven "worms" with end users to blame (and, to lesser extend, windows is also to blame since it executes the files without asking, where is chmod +x when you need one...).
BTW, I was asked by Firefox whether I want to download those files. And I didn't. They would never work on my Gentoo system anyway.
Oh, has anyone tried whether it works with wine?

Re:I've seen this "worm" with my own eyes!

[drsmithy]

Same stupidity-driven "worms" with end users to blame (and, to lesser extend, windows is also to blame since it executes the files without asking, where is chmod +x when you need one...).

Windows does not execute downloaded binaries without prompting.

Further, having to chmod +x would add an additional step, but anyone silly enough to download and run some random binary from an IM is hardly going to be slowed down by that - just look at how many people fell victim to the trojan that arrived in a *password protected zip file*.

Re:I've seen this "worm" with my own eyes!

[tacet]

i did. it doesn't. :)

interesting thing was, that on my windows box it closed ethereal, never to allow run it again.

Forbidden extensions?

[Spy+der+Mann]

Perhaps chat clients should by default ban files with executable extensions, namely .exe, .com, .scr and .bat. Links should not even be shown to the user if the file is masked as .jpg, .png, .avi, or any non-executable extension.

Re:Forbidden extensions?

[DrSkwid]

Using the filename to decide what to try and execute is already retarded, please don't heap any more shit on an already shitty idea.

We're still living with .htm ffs

I blame Apache and it's "let's map uri's straight to filenames" idiocy

Re:Forbidden extensions?

[Spy+der+Mann]

Using the filename to decide what to try and execute is already retarded

I meant links like this: <a href="virus.exe">innocent-looking-pic.jpg</a>

Re:Forbidden extensions?

[DrSkwid]

Legislate against this in your "secure" chat client then :

innocent-looking-pic.jpg

Why people use Skype

[Jabbrwokk]

Crappy code or not, it works well on Windows and Mac machines. It's easy to set up. Its SkypeOut rates are extremely cheap and the call quality is pretty good. It also does video extremely well and works easily with most webcams. But it's going to have to clean up its act when it comes to security because there are some alternatives emerging -- like GizmoProject. GizmoProject is great, and uses an open standard, but does not do video nor does it show any intentions of adding it. So scratch that one for me for now, but if it ever adds video, watch out Skype.

Re:Why people use Skype

[RAMMS+EIN]

Ah, video. Another thing that Skype added long after the open world had it (at least Ekiga, then Gnomemeeting, did)...and now people are using Skype, because it has video!

Sorry. I'm bitter. Feel free to ignore me.

Mandatory Probation for Stupid

Anyone who clicks on an unfamiliar web link should have their license to operate a PC revoked. These same idiots drive cars and operate the cappuccino machine behind the counter at Starbucks.

Not a skype worm...

[Sj0]

This isn't a skype worm, it's a human worm. It requires humans to download and install a piece of malignant code, whereupon it simply uses skype to send messages to exploit further vulnerabilities in the human.

Re:Not a skype worm...

[s_p_oneil]

Actually, it's neither. It is a Skype trojan. It's a trojan because it must trick the user into installing it. It's a Skype trojan because it actually links to Skype to spread itself to other Skype users. So if you're not using Skype, the chance of being infected with it is essentially nil.

Re:Not a skype worm...

[Sj0]

Oh, I agree.

But if we're going to call it a 'worm' or 'virus', we've got to accept the vulnerability being exploited: The human.

Re:Not a skype worm...

[s_p_oneil]

Of course. But I'm waiting for the day that a real virus comes out for Skype. I'm not trying to be a troll. I just feel certain that Skype is a gaping security hole waiting to be exploited, and I can't figure out why no hacker has turned the Skype network into his own personal bot network yet.

I can only think of two valid reasons for them to stay away from it. One is that they're being lazy and going after lower hanging fruit. The other is that hackers probably all love using Skype because they love having free conversations that are practically impossible to track/monitor, so they don't want to tarnish Skype's reputation.

Assume

[ShawnCplus]

Do we really need the title to say "Windows PCs"? I thought that was implied any time malware was concerned.

Re:Assume

[cbiltcliffe]

Do we really need the title to say "Windows PCs"? I thought that was implied any time malware was concerned.

Yes, we do. Because for a start, every time we don't, Linux/BSD/Mac/FreeDOS/Solaris-x86 fans complain that it's not "PCs" that are vulnerable, it's Windows. Which is true. Also, since the article says Windows PCs, the /. summary is just quoting that. It's also a good thing that the article states this, because the less technical crowd who might read it may notice that it's only Windows PCs that are affected, and start wondering what there is besides Windows PCs, or maybe look into purchasing something alternative that's not affected by so many worms/viruses/spyware.

110% of them

[OrangeTide]

Most skype users don't know what blithely means. And are unaware of any fundamental difference between a spell-checker and a dictionary.

Linux support?

[OrangeTide]

When will native Linux support for this worm/trojan become available?

Also could you post the link so that I can try porting the .scr to .pl ?

Re:Linux support?

[itsthebin]

yeah ok http://www.goatse.ca/hello.jpg :p

Mod Parent Up!

Mod points somehow elude me.

Thank god this is /.

[martnik]

I'm glad this isn't youtube, where a first-poster would've just written "FIRST!" I... "dislike" those guys.

Re:Thank god this is /.

[JazzLad]

Yeah, I'm glad there is no meme like that on /.

Open source alternatives

[l0b0]

Time to mention Ekiga (formerly GnomeMeeting) and OpenWengo. They suck, but there you go...

Unix outlook

[ceeam]

A serious question: how would Unix/Linux systems be immune to this kind of malware as they become more and more popular? Well, apart from lesser incidence of users running as "root" and more varied binary landscape (which would make it just a tad harder to spread executables, but still i386 exe linked against reasonably fresh glibc will run on majority of linux systems, right?), well, apart from that I don't see how one cannot make a linux spam-sending bot or whatever that would run every time a user logs in. We currently brag about linux being more secure and virus free but how much of that can be gone when illiterate users start prevailing?

Re:Unix outlook

[Erikderzweite]

Illiterate users will have no idea how to make chmod +x. Besides, it is possible to prevent execution of a file from any non-root-owned folder. But even without this measure the whole system is hardly to be compromised - only the users profile. And it's much easier to deal with than with an infected windows machine where only full reinstall helps.

It Magically Appeared

Skype magically appeared on my PC this morning. It was highlighted in the start menu and there was a new shortcut on my desktop. I did not do it - someone or something did it while I was sleeping - and I live alone.

Any advice?

If you listen very very carefully...

[Organic+Brain+Damage]

...you can hear the worm slithering into your ears when you use SKYPE.

Jackalope

[JCSoRocks]

What kind of jackalope writes a trojan for an awesome free VoIP service anyway? Skype's great... what kind of tool would want to mess it up? Lame.