There’s an infection doing the rounds on the Skype network at the moment, spamming end-users with the following message (or similar variants):
Click to Enlarge
This has been bouncing around for a few days, with the initial set of download links (on free file hosting websites) being taken down and the first shortened URL (which directed users to a .pl IP address) being disabled:
Click to Enlarge
That doesn’t seem to have stopped it, however, with fresh links and files being put into place. The creators seem to be abusing the Google URL shortening service for this one, although those links are being killed off as fast as the scammers can create them. Here’s another shot of a disabled short link, and a now DOA infection file link:
Click to Enlarge
So hey, that’s good. You may well still wander into an infection link like this from one of your contacts though:
The file being offered up is most commonly known as “skype_02102012_image.exe”. Running the file will cause it to self delete and the infected PC will begin making DNS requests to a number of URLs, including a .pl, a .com and a .kz – we also saw references to IRC channel names in the network traffic and are investigating further. It goes without saying that being dropped into a network of compromised machines of any kind won’t do the end-user any favours.
All in all, not a great thing to have on your system and despite the rapid takedowns it still appears to be putting up a valiant struggle during its quest to infect as many users as possible. GFI Software’s VIPRE detects this one as Trojan.Win32.Generic!BT.
Christopher Boyd (Thanks to Jovi for additional assistance)
Leave a reply
