Skype users are under attack from a new worm that spreads through Skype’s chat feature, and infects PCs with malware…
“Skype’s troubles seem to accumulate lately: after last month’s worldwide outage, a new worm that spreads through the Web-application’s IM feature threatens the integrity of PCs, using a bogus chat message.”
Skype is cautioning its Skype for Windows users of a worm called “W32/Ramex.A” that is spreading fast within the service’s instant chat application as a link in an instant message.
The attack begins when a user receives an instant message containing a link from someone in their contact list or an unknown Skype user, said Villu Arak, a Skype spokesman based in Tallinn, Estonia.
Users receive a message which appears to be from someone on their contact list. The messages are “cleverly written” and may appear to be a legitimate chat message, which may fool some users into clicking on the link, said Kurt Sauer, the company’s chief security officer.
The link appears to contain a JPEG photo file, but if clicked causes the Windows run/save dialog box to appear, which asks whether the user wants to save or run a “.scr” file, the user’s computer is then infected with the (w32/Ramex.A) worm. The worm uses Skype’s public API to access the user’s computer.
In a post to the Skype blog, Sauer emphasized that only users who download the link and run the malicious code have their PCs infected.
Skype is working with major PC security vendors to ensure protections are in place against the worm, it said, adding that several major firms had updated their virus engines to be able to stop the worm within hours of it being confirmed.
“Skype recommends updating your anti-virus software and says that F-Secure, Kaspersky Lab and Symantec have all posted updates that will remove the virus.”
According to Arak, both Symantec and FSecure have identified the virus, which has been dubbed “W32.Pykspa.D.” by Symantec and “W32/Skipi.A.” by FSecure.
The worm only affects Windows machines with Skype installed, although Arak has not mentioned which version of Skype is targeted by the malware (Windows Vista or XP version).
“We would like to encourage our users to ensure that they are running antivirus software on their computers and to download the latest antivirus updates in order to provide the best protection against this and other viruses,” Sauer said.
Skype confirmed the worm after users began posting about problems with their PCs to various online security forums. The security issue comes just days after Skype marked the fourth anniversary of its public beta launch late last month.
Skype was quick to acknowledge the worm’s presence and to move to correct the situation, has posted instructions on editing computer’s registry manually. Experienced users can follow these steps to get rid of the virus:
- Restart the PC in safe mode
- Run regedit
- Go to HKLM/software/microsoft/windows/currentversion/runonce find entry with mshtmldat32.exe. Delete this entry.
- Go to Windows\System32 directory and delete following files: wndrivs32.exe, mshtmldat32.exe, winlgcvers.exe, sdrivew32.exe
- Go to windows/system32/drivers/etc
- Find file hosts
- Open it with notepad, Ctrl+A and delete all entries (this will resume your antivirus updates), save, close.
- Restart the PC.
Historically, instant messaging and chat programs have been an increasingly common vector for attacks on Windows-based PCs. Access to one person’s instant messenger or e-mail account can mean contact details for many others, allowing hackers to use malicious e-mails or instant messages to lure victims into downloading malicious software.
Often, messages appear to come from friends and other trusted sources, and the instantaneous nature of online chat encourages users to click before thinking.
Skype has been growing rapidly since it was founded in 2002 by Zennstrom and Janus Friis, Skype gained instant legitimacy in 2005 when eBay bought it for US$2.5 billion.