know
your contact. drop the
download. protect the perimeter.
|
|
|
|
Skipi Alert infectionvectors.com September 2007
Vector: Skype IM Client
Impact: High (if downloaded Trojan companion is successful)
Although the payload and defense mechanisms taken by this worm will seem tired to malware researchers, skipi (a somewhat unfortunate name as it was used for Skype add-on software) does take the novel action of using the VoIP service Skype as its transport. This is not a critical issue for most organizations, but the innovation should not be dismissed altogether either. Email-borne worms found success because people trusted that email was from who it said it was from, the original IM worms exploited the same trust. VoIP applications likely enjoy the same level of implicit trust from the bulk of its users – until now.
Skipi requires a user download and execute the worm payload, an area where general user awareness training may be paying off for administrators. Once executed, the worm does the following:
Drops files onto the local machine:
“%WINDIR%\system32\mshtmldat32.exe “ “%WINDIR%\system32\sdrivew32.exe” “%WINDIR%\system32\winlgcvers.exe” “%WINDIR%\system32\wndrivs32.exe” “%SYSTEM%\mshtmlsh32.exe” “%SYSTEM%\sdrivec32.exe” “%SYSTEM%\winlgcverx.exe” “%SYSTEM%\wndrivsd32.exe”
Creates autostart values in the Windows Registry.
Kills malware detecting/cleaning utilities (by process).
Modifies the HOSTS file to prevent access to all the major players in antivirus support.
Copies itself to any available removable drives (and creates an autorun.inf file pointing to itself on the drive: “game.exe”).
Sends a link to the names in the Skype contacts list.
hxxp://www.fakme.org/erotic-gallerys/usr5d8c/dsc027.jpg hxxp://www.myimagespace.net/erotic-gallerys/usr5d8c/dsc027.jpg
The link redirects to an SCR file, which the user must manually save and execute, as noted above. The SCR is a Trojan, likely to change as the worm ages. The link comes with one of many possible subject lines (selecting from English, Russian, or Latvian based on the system’s language settings):
: S ziurek kur tavo foto imeciau :D zek kur tavo foto metos isdergta your photos looks realy nice you checked ? where I put ur photo :D what ur friend name wich is in photo ? vgeras ane ? u happy ? this (happy) sexy one sky really funny patinka? pala biski ops oops sorry please don't look there :S oh sry not for u now u populr matai :D look what crazy photo Tiffany sent to me,looks cool look labas kas cia tavim taip isderge ? =]] I used photoshop and edited it how are u ? :) hey haha lol esi? cia tu isimetei ? cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D as net nezinau ka tavo vietoj daryciau. a ? (rofl) (mm) kaip as taves noriu (happy) (devil)
Considerations: This worm appears poised to mutate – taking on different languages, subject lines, download points, file names, etc. as its (likely short) life continues. It is not unlike any other mass mailer or IM worm, which often see numerous iterations before fading away. Administrators are cautioned against using subject line blocks or similar means at network borders (IDS) in an effort to stop this malware.
Skype has a notification: http://heartbeat.skype.com/2007/09/the_worm_that_affects_skype_fo.html
Additional analyst reports: Symantec: http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSKIPI
|
Copyright Ó 2007 infectionvectors.com. All rights reserved.
