Skype Worm Infects Windows PCs

walterbays writes with news of a worm spreading to Windows PCs through Skype's IM. The worm is variously called Ramex.a and Pykspa.d. A poster on a Skype forum explains how to remove it. "After hijacking contacts from an infected machine's Skype software, it sends messages to those people that include a live link. Recipients who blithely click on the URL — which poses as a JPG image but is actually a download to a file with the .scr extension — wind up infected."

Worm?

[Hatta]

Recipients who blithely click on the URL -- which poses as a JPG image but is actually a download to a file with the .scr extension -- wind up infected.

I'm sure I won't be the first to point out that such an attack vector is not a worm.

Re:Worm?

Given your position of first post, I can't see how you could be anything but the first to point out this.

Re:Worm?

[Bill,+Shooter+of+Bul]

That is a good point, and I must admit I thought that as well ... at first. Then I started thinking, How long is something really first? Is something first always first? Like the first European to visit the Americas, Columbus. He was first, but only for 400 odd years before we discovered that the vikings were the first. Also, one can never be so certain that time travel will never exist. Therefore, all of our first records in any given field may be only temporary, before some one from the future comes back and does it first.

I applaud the gp's modesty, and four dimensional thinking. I think we should all be a little more considerate of our resources, both natural and produced, in light of the fact that they may belong to someone else before us, in the future.

Re:Worm?

[Doctor-Optimal]

Ooh, a lesson in not changing history from mister "I'm-my-own-grandpa"!

Re:Worm?

[Suhas]

> You'd have to be a pirate to say all that and still be first.

There, fixed that for ya.

Lovely

[MechaShiva]

Ramex.a/Pykspa.d injects code into the Explorer.exe process to force it to run the actual malware -- a file named wndrivsd32.exe -- periodically, wrote an infected user on a Skype message forum today. The worm also plugs in bogus entries in the Windows hosts file so that installed security software won't be able to retrieve updates.

No mention of if this is just piggybacking a windows exploit or is it purely the result of Skype being craptastic. Also, gotta wonder how/if it effects a properly patched windows xp machine and/or vista. In any event, sounds like fun.

Re:Lovely

[recoiledsnake]

It does not "inject code" into Explorer any more than Notepad injects code into Explorer to run itself. An "infected user" is probably not the right person to listen to in such technical matters. FSecure has complete details on it if you're really interested here

Re:Lovely

[Peaker]

It does not "inject code" into Explorer any more than Notepad injects code into Explorer to run itself. An "infected user" is probably not the right person to listen to in such technical matters. FSecure has complete details on it if you're really interested here

Heh, I am Eyal. I admit I was "infected". Basically I clicked the "scr" link because I foolishly trusted the source of the message to be who it was, did not read the contents before clicking, I don't really give much of a damn about this Windows box, and I forgot that the "scr" extension was executable, and not just an image file (which is typically a less likely attack vector).

I assumed that since the Explorer.exe was unmodified, but explorer.exe is respawning the virus/worm's executable, that it modified Explorer's behavior in some way, perhaps by code injection. It was just speculation, ofcourse and obviously there are simpler ways to get explorer.exe to respawn your process, but it really is an unimportant detail.

F-Secure info

[CXI]

F-Secure has information as well.

Skype itself is blameless

[ZwJGR]

Skype itself is (mostly) blameless, how can they be expected to protect users from this sort of attack (perhaps by pointing out to users that the link/download they're clicking on is a screensaver exe..., but Windows ought to tell you that anyway...)
Naming it a worm is a minor overstatement as well.
It propagates by user incompetence, not by a technical flaw...

These sort of malware executables circulate on email lists (and I daresay, other IM networks) already, so it's no surprise that Skype has "joined the club" of being big enough to attract unwanted attention...

Re:Skype itself is blameless

[jimicus]

It propagates by user incompetence, not by a technical flaw...

If the last 8-10 years have taught the IT industry nothing else, we should at least be well aware by now that basing your security on "user never does anything stupid" is a pretty effective way to ensure that the user's system will be emailing everyone and his dog adverts for Geniun Vigara!!!111 (sic) by the end of the day.

Re:Skype itself is blameless

[gowen]

Skype itself is (mostly) blameless

You what? Their program runs executable content from a URL without a warning or asking for confirmation. That's insanely bad design.

Re:Skype itself is blameless

[recoiledsnake]

The saddest part about Slashdot is that people read the summary or sometimes a misleading articles, assume things and then comment away which is modded up by moderators who don't have much clue either. Then you see someone picking out holes in the summary and article and usually getting modded up(a good thing!). And then one looks at all the modded up wrong comments and thinks "WTF were these people thinking up when they were posting/modding up this crap?"

All Skype does is auto link URLs and make them launch in the default browser on the machine, just like almost every modern IM app does whenever you send them a link. The link looks like it's a JPG but is a .SCR, which infects the user only if they click "Run" in the dialog opened up by the browser(IE, FF, Opera, Safari etc.) According to your logic, it's Slashdot's fault if someone links to a virus EXE here and some clueless readers run it and then the virus autoappends a link to the posts that the Slashdot user posts.

Re:Skype itself is blameless

[haeger]

Yet we happily run around screaming "Linux has no viruses", effectivly teaching our users to not be careful. And almost anything configuration-like we want to do requires a root-like password, effectivly teaching everyone to be careless with that too.

We've got to start looking out or we will have our shiney metal asses bitten.

 

.haeger

Skype's revenge

[Nimey]

They're getting back at all the people who rebooted last month.

Re:Software diversity is a good thing.

[abigor]

You have no idea what you're talking about.

Re:Software diversity is a good thing.

[Opportunist]

And how? By not implementing a messenging system the moron user can click and infect himself?

Where's Skype to blame if someone gets a link sent and clicks it without even trying to see what's behind it?

FIXED

s/some of the //

blithely

[AbbyNormal]

blithely click my signature link for more information on this developing story!

Is there any chance this is related to outage?

[Thagg]

Three weeks ago, Skype was down for quite a while. Was it possible that it was not the benign "updating software" that they had previously reported? Perhaps it really was some kind of malicious attack.

An aquaintance of mine was hit by this today, he only ran Skype ever with his wife and daughter -- it seems hard to imagine how bad guys got ahold of his address, unless perhaps somebody downloaded the whole database.

Thad Beier

Re:Amazing

[recoiledsnake]

Uh. IE7 on Vista runs in a sandbox(note that this is to mitigate the damage caused by buffer overflows in IE code and not intended to sandbox executable/virus code), and warns you square whenever that boundary is breached(by opening a PDF, EXE or SCR, for example). Additionally, if the EXE requests admin privileges(required to install a rootkit, for example), the infamous UAC dialog appears. And if someone gives admin access when they wanted to view a JPEG, how is it Windows' or Skype's fault? Also, most versions of windows I have used(since 95) ask before opening executable files(even .SCR) So, Windows does not "still" allow un-sandboxed applications to run just clicking links. If users expect a JPEG but get a .scr or exe they have plenty of time/opportunity to click NO. This is not Windows or Skype's fault. It's just clueless users getting owned.

Re:"blithely"

Considering the definition and my general knowledge from doing tech support, I'd say just about all of them:

blithely:
1- of a happy lighthearted character or disposition
2- lacking due thought or consideration

Microsoft's fault?

[sconeu]

With the default behavior of hiding the extension, XP leaves non-technically proficient users vulnerable to this.

Re:Microsoft's fault?

[recoiledsnake]

I fail to see how that behavior makes a difference here. The user clicks on a link that ends in .JPG, and the browser asks him to run or save an SCR file. No hiding the extension is involved here. If the user runs it, BAM. If he saves it, THEN he or someone else would not be able to see the extension and would run it(Though I think XP SP2 pops up a warning about it being a file from the internet zone, not sure if the full filename shows up in the warning though).

Hiding the extension is a very most annoying thing though, it's the first setting that I change on a new install of Windows.

Re:Microsoft's fault?

[everphilski]

With the default behavior of hiding the extension, XP leaves non-technically proficient users vulnerable to this.

I fail to see how a 'non-techinically proficient user' would notice the appropriate extension...

Re:Microsoft's fault?

[cbhacking]

I think XP SP2 pops up a warning about it being a file from the internet zone, not sure if the full filename shows up in the warning though It doesn't matter, since jpegs (non-executable data files in general) don't present that warning (The text of the warning is something along the line of "this type of file can harm your computer". Not to mention they would presumably notice the file type while downloading and cancel the download / delete the file. Of course, the fact that anybody GETS these warnings (I haven't gotten one in Skype, but I've seen a couple that were near-identical over AIM) means that there are people out there who are actually stupid enough to ignore the warning...

Hiding the extension is a very most annoying thing though, it's the first setting that I change on a new install of Windows. Agreed, although I actually change roughly half the options in Folder Settings. It's gotten better over time; 2000 you had to change almost all of them, XP only about 80%, Vista is down to nearly 50%. IE's default settings have gotten better too, especially with 7.

Re:Microsoft's fault?

[tsa]

Hiding the extension is a very most annoying thing though, it's the first setting that I change on a new install of Windows.

In OSX it's no different. But for some reason Steve's reality distortion field is so strong Mac users don't seem to care about it much.

Re:Sweet merciful Jesus

As a US president once said :- "There's an old saying in Tennessee -- I know it's in Texas, probably in Tennessee -- that says, fool me once, shame on -- shame on you. Fool me -- you can't get fooled again."

Re:Amazing

[jawtheshark]

Ehm, you really don't remember, do you? There was functionality in Outlook that allowed emails to run midis, except it didn't check the MIME type and ran whatever declared itself as being a midi, including EXE, COM, SRC and PIF. So, the person opening those emails got infected by "just opening the email"

That was back in the day that we computer scientists were laughing at those "open an email and get virus emails". We didn't count with Outlook.... *sigh* That was a long time ago...

Yet Again...

[RAMMS+EIN]

Yet again, us Linux users are left out. The program works only on Windows/x86. And here I am, on my glorious Linux/ppc box, just having painfully gotten Skype to work...and they introduce a new feature that I can't access...boohooo!

(I kid. I hate Skype passionately (for getting everybody on a proprietary solution when open protocols exist) and would never go through any amount of trouble to get it installed on my computer.)

Re:Amazing

[KiloByte]

Any Unix GUI environment could allow this as well.

ClickMe.sh You forgot:
chmod a+x ClickMe.sh
Even the GUI version of the above requires at least 5 clicks in Gnome, and I guess about as much in KDE.

Re:The malware terminates a list of 534 processes.

[myowntrueself]

Seems like such a person could make money honestly.

Anyone who can make $money honestly could make N * $money dishonestly.

How do you think corporatism works? :-P

Assume

[ShawnCplus]

Do we really need the title to say "Windows PCs"? I thought that was implied any time malware was concerned.

Re:Assume

[cbiltcliffe]

Do we really need the title to say "Windows PCs"? I thought that was implied any time malware was concerned.

Yes, we do. Because for a start, every time we don't, Linux/BSD/Mac/FreeDOS/Solaris-x86 fans complain that it's not "PCs" that are vulnerable, it's Windows. Which is true. Also, since the article says Windows PCs, the /. summary is just quoting that. It's also a good thing that the article states this, because the less technical crowd who might read it may notice that it's only Windows PCs that are affected, and start wondering what there is besides Windows PCs, or maybe look into purchasing something alternative that's not affected by so many worms/viruses/spyware.

110% of them

[OrangeTide]

Most skype users don't know what blithely means. And are unaware of any fundamental difference between a spell-checker and a dictionary.

Linux support?

[OrangeTide]

When will native Linux support for this worm/trojan become available?

Also could you post the link so that I can try porting the .scr to .pl ?