Worm spreading on Skype IM installs ransomware

Malware is downloaded onto users' machines after they click on the message "lol is this your new profile pic?"

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
The Skype worm attempts to entice users with this socially-engineered instant message. GFI

A malicious worm spreading through Skype instant messages threatens to take control of a victim's machine and hold its contents for ransom.

The issue, which was first brought to light Friday by GFI, tricks users into downloading a ZIP file by displaying the socially-engineered message, "lol is this your new profile pic?" along with a link that also spreads the message to other Skype users. The ZIP file contains an executable file that installs a variant of the Dorkbot worm and creating a backdoor via "Blackhole," an exploit kit used by criminals to infect computers through security holes.

The backdoor allows a remote attacker to take control of the machine and install the ransomware, a malicious application that locks the user out of the computer via password or encryption and demands a payment, or ransom, in exchange for its contents. This particular strain demands a payment of $200 within 48 hours or risk having their files deleted.

PC users are also presented with a screen (see below) that claims the computer has been used to visit sites of a nefarious nature, including the downloading of MP3s, illegal pornography, gambling, and illegal drugs, and threatens to send that information to the "special Department of US government" via a program called "System Cleaner," which it claims was developed by the U.S. government "to prevent crime and illegal activity on the Internet."

Click to enlarge. GFI

The malware also employs click fraud, imitating legitimate user behavior by clicking on ads to generate revenue for its authors. And it's not a few clicks; GFI said in a 10-minute span it recorded 2,259 transmissions.

Skype said it is investigating the matter and recommends upgrading Skype versions and making sure the machine's security software is up to date.

"We are aware of this malicious activity and are working quickly to mitigate its impact," the company said in a statement. "We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links -- even when from your contacts -- that look strange or are unexpected is not advisable.