Skype Worm Infects Windows PCs

walterbays writes with news of a worm spreading to Windows PCs through Skype's IM. The worm is variously called Ramex.a and Pykspa.d. A poster on a Skype forum explains how to remove it. "After hijacking contacts from an infected machine's Skype software, it sends messages to those people that include a live link. Recipients who blithely click on the URL — which poses as a JPG image but is actually a download to a file with the .scr extension — wind up infected."

F-Secure info

[CXI]

F-Secure has information as well.

Re:Amazing

[Gothmolly]

Any Unix GUI environment could allow this as well.

ClickMe.sh

For instance, could hose up your home directory and data pretty badly, if say, KDE's shell ran shell scripts when clicked.

Re:Amazing

[recoiledsnake]

Uh. IE7 on Vista runs in a sandbox(note that this is to mitigate the damage caused by buffer overflows in IE code and not intended to sandbox executable/virus code), and warns you square whenever that boundary is breached(by opening a PDF, EXE or SCR, for example). Additionally, if the EXE requests admin privileges(required to install a rootkit, for example), the infamous UAC dialog appears. And if someone gives admin access when they wanted to view a JPEG, how is it Windows' or Skype's fault? Also, most versions of windows I have used(since 95) ask before opening executable files(even .SCR) So, Windows does not "still" allow un-sandboxed applications to run just clicking links. If users expect a JPEG but get a .scr or exe they have plenty of time/opportunity to click NO. This is not Windows or Skype's fault. It's just clueless users getting owned.

Microsoft's fault?

[sconeu]

With the default behavior of hiding the extension, XP leaves non-technically proficient users vulnerable to this.

Re:Microsoft's fault?

[cbhacking]

I think XP SP2 pops up a warning about it being a file from the internet zone, not sure if the full filename shows up in the warning though It doesn't matter, since jpegs (non-executable data files in general) don't present that warning (The text of the warning is something along the line of "this type of file can harm your computer". Not to mention they would presumably notice the file type while downloading and cancel the download / delete the file. Of course, the fact that anybody GETS these warnings (I haven't gotten one in Skype, but I've seen a couple that were near-identical over AIM) means that there are people out there who are actually stupid enough to ignore the warning...

Hiding the extension is a very most annoying thing though, it's the first setting that I change on a new install of Windows. Agreed, although I actually change roughly half the options in Folder Settings. It's gotten better over time; 2000 you had to change almost all of them, XP only about 80%, Vista is down to nearly 50%. IE's default settings have gotten better too, especially with 7.

Re:Microsoft's fault?

[tsa]

Hiding the extension is a very most annoying thing though, it's the first setting that I change on a new install of Windows.

In OSX it's no different. But for some reason Steve's reality distortion field is so strong Mac users don't seem to care about it much.

Re:Lovely

[recoiledsnake]

It does not "inject code" into Explorer any more than Notepad injects code into Explorer to run itself. An "infected user" is probably not the right person to listen to in such technical matters. FSecure has complete details on it if you're really interested here

Re:Skype itself is blameless

[recoiledsnake]

The saddest part about Slashdot is that people read the summary or sometimes a misleading articles, assume things and then comment away which is modded up by moderators who don't have much clue either. Then you see someone picking out holes in the summary and article and usually getting modded up(a good thing!). And then one looks at all the modded up wrong comments and thinks "WTF were these people thinking up when they were posting/modding up this crap?"

All Skype does is auto link URLs and make them launch in the default browser on the machine, just like almost every modern IM app does whenever you send them a link. The link looks like it's a JPG but is a .SCR, which infects the user only if they click "Run" in the dialog opened up by the browser(IE, FF, Opera, Safari etc.) According to your logic, it's Slashdot's fault if someone links to a virus EXE here and some clueless readers run it and then the virus autoappends a link to the posts that the Slashdot user posts.

Re:Lovely

[Peaker]

It does not "inject code" into Explorer any more than Notepad injects code into Explorer to run itself. An "infected user" is probably not the right person to listen to in such technical matters. FSecure has complete details on it if you're really interested here

Heh, I am Eyal. I admit I was "infected". Basically I clicked the "scr" link because I foolishly trusted the source of the message to be who it was, did not read the contents before clicking, I don't really give much of a damn about this Windows box, and I forgot that the "scr" extension was executable, and not just an image file (which is typically a less likely attack vector).

I assumed that since the Explorer.exe was unmodified, but explorer.exe is respawning the virus/worm's executable, that it modified Explorer's behavior in some way, perhaps by code injection. It was just speculation, ofcourse and obviously there are simpler ways to get explorer.exe to respawn your process, but it really is an unimportant detail.

Re:Amazing

[KiloByte]

Any Unix GUI environment could allow this as well.

ClickMe.sh You forgot:
chmod a+x ClickMe.sh
Even the GUI version of the above requires at least 5 clicks in Gnome, and I guess about as much in KDE.