Skype Worm Breaks Out in APAC

Symantec and Websense have warned Skype users of a new worm that spreads itself via Skype text messages.

Dubbed Chatosky by Symantec, the cycle starts with a Skype user receiving a message offering a file called sp.exe. According to Websense’s preliminary analysis, when that file is run it installs a password-stealing Trojan and propagates itself via Skype.

The malware also tries to connect to a now-disabled remote server to collect additional code.

Websense says the original infections appear to be in the Asia Pacific region, especially Korea.

CA’s, Sophos’ and McAfee’s security sites had no information about this worm at the time of writing.

Websense Alert:

Websense Security Labs has had reports of a new worm that uses Skype to propagate. We are still investigating the issue but here are the details so far:

* users receive messages via Skype Chat to download and run a file
* the filename is called sp.exe
* assuming the file is run it appears to drop and run a password stealing Trojan Horse
* the file also appears to run another set of code that uses Skype to propagate the original file
* the file is packed and has anti-debugging routines (NTKrnl Secure Suite packer)
* the file connects to a remote server for additional code
* the original site has been black holed and is not serving the code anymore
* the number of victims is still TBD
* the original infections appear to be in APAC region (Korea in particular)

Leave a Reply