Miscreants have created a worm that uses the chat function built into Skype to spread. The malware - variously known as either Ramex, Skipi or Pykspa - sends a short message containing a link to a seemingly benign jpeg file to contacts of users with infected Windows PCs. Users who click on the link are prompted to download and …
With friends like these
> Typical examples of the message it sends include "really funny", "look what crazy photo Tiffany sent to me, looks cool" and "what ur friend name wich is in photo?"
So the only people who should be falling for it are people with friends who can't string a sentence together properly, and people who are generally disposed towards clicking links with "erotic" in the URL.
I received it from 2 Skype contacts - in both cases it would have been pretty out of character for them to write "wich is in photo" or to send me a URL to an erotic image - so I emailed them to ask if they'd sent me anything.
As always, if in doubt, don't click, and no damage done.
Having said that, if the Skype API lets this piece of code start chat sessions without authenticating itself, then a fix might be needed.
And yet again...
another worm dependant upon the seemingly endless hordes of idiots available to click it so that it can execute. FFS, when will these people learn?
Personally, if I were their ISPs, I'd just sandbox the muppets until they learned how to use an internet connection.
Or 419 them, if they're that stupid... sorry,, keen, to click on everything that comes into their email/IM/Skype inbox.
What I don't understand is why the viewing of a picture requires the execution of a payload. If viewers didn't automatically execute commands within the image then a lot of the worms would never get spread. That won't happen though if the sales and marketing people have their way since people would never execute the add payloads.
Spam filter funds...
...Or just drain their accounts... at least we know the funds will go to a charity of our choice ;-)
If viewers didn't automatically execute commands
>If viewers didn't automatically execute commands
"Viewers" do not execute commands.
the file is prob. a .exe with a name like
funny.jpg________________.exe (_ = space)
.exe after a long name is hidden by the lack of space to display the full filename in the window.
Not that simple..
We had one user infected today. She swore she had not clicked any links, just replied to a message (and I trust her here). Luckilly she had only limited rights to her machine so the trojan had to stay in her TEMP folder and was removed pretty easily. Still - the host file got modified - looks like it is world writable by default (?!).
With friends like these
"So the only people who should be falling for it are people with friends who can't string a sentence together properly, and people who are generally disposed towards clicking links with "erotic" in the URL."
Well that would include a significant proportion of people who comment on El Reg stories ... and the occasional contributor :)
I use spyware terminator, it will ask permission the first time a new program tries to make a change to important files or settings.
Like all security software its annoying. But once you tell it what programs are trusted to what things its great for alerting you to suspicious activity.
And like all the security software I use its free.
Of course if someone will clicked on a suspicious link, clicked to install software when they were expecting a picture, then they are probably doing to click OK to modify the host files.
Re: Automatic payload execution
voshkin's method can execute code by tricking the user into running an EXE instead of viewing a JPEG, but it is even possible to include executable code in a JPEG itself and execute it by buffer overflow when the user merely views the image.
no need to click on the .jpg
an even nastier exploitation is the red flag notification attached to the Skype icon. Clicking on this, which normally would be a message from a trusted caller, opens the infected .jpg without viewing what it actually is, NASTY!!! over to you Skype?