In what looks like a new veneer on an old trick, a clickjacking Trojan that takes advantage of Skype users has been spreading like a pandemic through Skype affecting largely gamers. The malware hijacks a Skype session to send the message “lol is this your new profile pic?” and a shortened URL for the target to click to various contacts.
The message ends with a link shortened by Google’s URL shortener. The initial links used by the cybercriminals have subsequently been taken down; but this malware is extremely pernicious and keeps rotating links.
This Trojan appears to have been going around for a few days but it gained a major foothold in the StarCraft 2 player community first. From there it spread like wildfire between a few pro players to the rest of the community; it’s now been noted making the rounds between League of Legends players. One could note that it’s a small world of eSports players. There is no reason at the moment to suspect that gamers were the original target, but just supplied the proper incubation ground to catapult this malware into the general population.
The message looks something like this:
Clicking the link downloads an executable file (or a .zip archive in some cases) most commonly listed as “skype_02102012_image.exe” Executing this file will cause the machine it is run on to be infected. GFI Labs has identified the malware as Trojan.Win32.Generic!BT:
The file being offered up is most commonly known as “skype_02102012_image.exe”. Running the file will cause it to self delete and the infected PC will begin making DNS requests to a number of URLs, including a .pl, a .com and a .kz – we also saw references to IRC channel names in the network traffic and are investigating further. It goes without saying that being dropped into a network of compromised machines of any kind won’t do the end-user any favours.
All in all, not a great thing to have on your system and despite the rapid takedowns it still appears to be putting up a valiant struggle during its quest to infect as many users as possible. GFI Software’s VIPRE detects this one as Trojan.Win32.Generic!BT.
One curious thing about this malware is that it localizes itself. English speaking Skype users will send the standard English language version and at least one Russian user had their Skype hijacked to send “это новый аватар вашего профиля?” This suggests an odd level of sophistication to what is probably otherwise very simple malware.
Do not click on strange messages from friends in Skype without checking
…and especially do not execute strange files when you receive them. This is how most Internet Trojan pandemics spread.
In the modern computing era viruses are mostly a thing of the past because of a lack of autorun on executable files, instead they function as Trojans that require human interaction to be part of their vector to get around defenses in the OS against this.
If you receive a questionable file first ask the contact who sent it to you if they intended to send it; if you’re curious scan it with your antivirus software (in most cases the Trojan signature will be detected.) This also means that your AV software may be able to contact the vendor of your software and tell them that the Trojan has reached you and enable them to provide better service in the future.
Although it’s generally just safer not to click the link without confirmation from your friend or acquaintance that it was safe to click in the first place.