Worm Propagates Through Skype Messages

For the past week, we've received a lot of reports of a worm that propagates through Skype known as Dorkbot. This is probably nothing new for most of you -but still it pays to be aware. Anyway, I got hold of a sample and took a closer look. The worm usually arrives as a link from a friend's Skype instant message telling you how funny your profile pics are.

Skype_link

Clicking the link, prompts the user to download a file hosted at Sendspace.com:

Screenshot-Opening Skype_09-11-2012_image.zip
For the sake of science, we extracted the zip file and run it in our test environment, and of course, as we suspected this was the Skype worm itself. During testing we left Skype with fake user ID running in the background.

When run, the malware first obtained our infected host's IP address and location by cleverly querying it from a free GeoIP web service, Wipmania.com. It then sends this data back to one of the following control servers on port 1863:

  • 217.160.108.147
  • 176.9.192.131
  • 87.255.51.229 <- now sinkholed by abuse.ch

It then downloads additional malware hosted at Hotfile.com. I have also seen reports of ransomware downloaded and installed on the infected system:

HotfileA

Not long after it downloaded the additional malware, it started spamming our Skype contacts with the same message that we got.

There are also other serious payloads for this malware: it also steals user credentials from various websites (as you can see in the screenshot below, those are the strings that the malware monitors). The malware is also capable of propagating through MSN and USB flash drives.

Banking

As always, be wary of whatever link has been sent to you and avoid clicking it if you are not sure of what it is. Trustwave SWG customers are protected against this threat.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.