Sign in to follow this  
Followers 0

I can has landline?

5 posts in this topic

Skype worm

Published: 2007-09-10,

Last Updated: 2007-09-10 22:14:13 UTC

by Maarten Van Horenbeeck (Version: 3)

A worm is currently spreading which is specifically aimed at Skype users. Known as Ramex, Skipi or Pykspa, it abuses the chat function of Skype to send a short message containing a link to a seemingly benign JPEG file to other users. Users that click on the link will download and run a copy of the worm, and start to infect others.

The binary is not packed and easy to dissect. It contains code to turn off several security applications, and alters the hosts file to disable the downloading of updates. It then uses the Skype API to send the following messages in Lithuanian/Latvian, Russian and English, depending on the client's user interface:

pala biski


as net nezinau ka tavo vietoj daryciau.

matai :D

geras ane ?


kas cia tavim taip isderge ? =]]

cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D

cia tu isimetei ?

zek kur tavo foto metos isdergta

(mm) kaip as taves noriu

ziurek kur tavo foto imeciau :D



what ur friend name wich is in photo ?

this (happy) sexy one

u happy ?

oh sry not for u

oops sorry please don't look there :S

you checked ?



really funny

now u populr

haha lol

look what crazy photo Tiffany sent to me,looks cool

I used photoshop and edited it

where I put ur photo :D

your photos looks realy nice


how are u ? :)

Skype's heartbeat has a brief entry on this new malcode which contains manual removal instructions. Samples of the worm have been gathered and are currently under analysis to improve anti virus coverage. In the meanwhile, you may wish to educate your users not to click on these appearingly benign links.


Maarten Van Horenbeeck


Share this post

Link to post
Share on other sites

Yup. Just heard about this one before you posted.

IF PEOPLE WOULD JUST NOT BE STUPID, this wouldn't be so effective.



Share this post

Link to post
Share on other sites

if you told me she was naughty i would have to... The skype api is sick. I mess around with writing a wardialer for when skype out was free.


Share this post

Link to post
Share on other sites

I read a writeup of this in my Google Reader this morning:

Not too much special about this one, other than posing as a screensaver file (.scr). The author probably figured that some people jaded by malware posing as .exe's wouldn't realize that a .scr is executable as well.

It is neat that it's using the Skype chat protocol to spread. It'd be interesting to see if it implements the protocol in the malware itself (2k--cheap!) or if it hijacks the client sitting on the victim's machine.


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0