When executed, the attached malware program displays a fake "installation error" box while, in fact, it is installing itself as %sysdir%\remote.exe, altering the registry and shutting down shared access and Windows update services. It then tries to connect to either an IRC server named 'jojogirl.3322.org' (channel name #Phantom) or smallphantom.meibu.com, but fails.
"This latest spear phishing attack, where Skype users are being targeted by an email that appears to come from Skype, is the first case that we've seen that specifically mentions Skype," said Maksym Schipka, a senior antivirus researcher at MessageLabs. "It is another clear example of how malware writers are quickly exploiting newly identified security holes, as we saw with the Zotob attack, and now, new releases of popular software applications, in order to try and spread their malicious payloads.
Another interesting development is the usage of the mutex '___--->>>[E-v-i-l_S-e-c-u-r-i-t-y_T-e-a-m]<<<---___' which links the Chinese creator of the IRCbot trojan with a group of Brazilian/Persian hackers who are known to deface Web sites (their homepage is evil.co.sr, which is a Suriname domain).
Hello. We're Skype and we've got something we would like to share with...; Share Skype.; Skype for Windows 1.4; Skype for Windows 1.4 - Have you got the new Skype?; What is Skype?
Skype is a little piece of software that lets you talk over the Internet to anyone, anywhere for free.
And it just got even better -- download the latest version of Skype:
Our call quality is the best ever for talking, laughing and sharing stories.
You can forward calls on to mobiles, landlines and other Skype Names.
Make calls instantly from Outlook email or Internet Explorer with our new toolbars.
Personalise your Skype -- play around with sounds, ringtones and pictures to show the world who you are.
For further details see the attached document.
This message contains graphics. If you do not see the graphics, click here to view.
(c) 2002-2005 by Skype Technologies S.A.
MessageLabs detected this malware proactively, using its unique and patented Skeptic(tm) predictive heuristics technology. It has detected over 150 emails of this type since Sunday, October 16th.
For further information, please visit the MessageLabs Web site at http://www.messagelabs.com/intelligence.
To speak with Mr. Schipka or another MessageLabs anti-virus researcher, please contact XYZ.
MessageLabs is the world's leading provider of messaging security and management services with more than 12,000 clients and offices in eight countries. For more information, please visit http://www.messagelabs.com
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.