Skype Worm Infects Windows PCs

walterbays writes with news of a worm spreading to Windows PCs through Skype's IM. The worm is variously called Ramex.a and Pykspa.d. A poster on a Skype forum explains how to remove it. "After hijacking contacts from an infected machine's Skype software, it sends messages to those people that include a live link. Recipients who blithely click on the URL — which poses as a JPG image but is actually a download to a file with the .scr extension — wind up infected."

F-Secure info

[CXI]

F-Secure has information as well.

Re:Amazing

[recoiledsnake]

Uh. IE7 on Vista runs in a sandbox(note that this is to mitigate the damage caused by buffer overflows in IE code and not intended to sandbox executable/virus code), and warns you square whenever that boundary is breached(by opening a PDF, EXE or SCR, for example). Additionally, if the EXE requests admin privileges(required to install a rootkit, for example), the infamous UAC dialog appears. And if someone gives admin access when they wanted to view a JPEG, how is it Windows' or Skype's fault? Also, most versions of windows I have used(since 95) ask before opening executable files(even .SCR) So, Windows does not "still" allow un-sandboxed applications to run just clicking links. If users expect a JPEG but get a .scr or exe they have plenty of time/opportunity to click NO. This is not Windows or Skype's fault. It's just clueless users getting owned.

Microsoft's fault?

[sconeu]

With the default behavior of hiding the extension, XP leaves non-technically proficient users vulnerable to this.

Re:Microsoft's fault?

[cbhacking]

I think XP SP2 pops up a warning about it being a file from the internet zone, not sure if the full filename shows up in the warning though It doesn't matter, since jpegs (non-executable data files in general) don't present that warning (The text of the warning is something along the line of "this type of file can harm your computer". Not to mention they would presumably notice the file type while downloading and cancel the download / delete the file. Of course, the fact that anybody GETS these warnings (I haven't gotten one in Skype, but I've seen a couple that were near-identical over AIM) means that there are people out there who are actually stupid enough to ignore the warning...

Hiding the extension is a very most annoying thing though, it's the first setting that I change on a new install of Windows. Agreed, although I actually change roughly half the options in Folder Settings. It's gotten better over time; 2000 you had to change almost all of them, XP only about 80%, Vista is down to nearly 50%. IE's default settings have gotten better too, especially with 7.

Re:Lovely

[recoiledsnake]

It does not "inject code" into Explorer any more than Notepad injects code into Explorer to run itself. An "infected user" is probably not the right person to listen to in such technical matters. FSecure has complete details on it if you're really interested here

Re:Lovely

[Peaker]

It does not "inject code" into Explorer any more than Notepad injects code into Explorer to run itself. An "infected user" is probably not the right person to listen to in such technical matters. FSecure has complete details on it if you're really interested here

Heh, I am Eyal. I admit I was "infected". Basically I clicked the "scr" link because I foolishly trusted the source of the message to be who it was, did not read the contents before clicking, I don't really give much of a damn about this Windows box, and I forgot that the "scr" extension was executable, and not just an image file (which is typically a less likely attack vector).

I assumed that since the Explorer.exe was unmodified, but explorer.exe is respawning the virus/worm's executable, that it modified Explorer's behavior in some way, perhaps by code injection. It was just speculation, ofcourse and obviously there are simpler ways to get explorer.exe to respawn your process, but it really is an unimportant detail.