Skype Warns Users about Circulating Worm

Skype Ltd. warned its users Monday that a worm targeting Windows PCs is spreading through the service's instant messenger, making the Voice over IP (VOIP)'s chat software the latest to come under the hacker gun.

Dubbed Ramex.a by Skype spokesman Villu Arak -- but pegged Pykspa.d by Symantec Corp. -- the worm takes a typical instant messenger (IM) line of attack: After hijacking contacts from an infected machine's Skype software, it sends messages to those people that include a live link. Recipients who blithely click on the URL -- which poses as a JPG image but is actually a download to a file with the .scr extension -- wind up infected.

"The chat message, of which there are several versions, is cleverly written and may appear to be a legitimate chat message, which may fool some users into clicking on the link," said Arak in an alert on the Skype site.

Arak also listed instructions for removing the worm from infected PCs, but they included changes to the Windows registry, a chore most users are hesitant to try.

Ramex.a/Pykspa.d injects code into the Explorer.exe process to force it to run the actual malware -- a file named wndrivsd32.exe -- periodically, wrote an infected user on a Skype message forum today. The worm also plugs in bogus entries in the Windows hosts file so that installed security software won't be able to retrieve updates.

It may also modify the list of programs allowed to call up Skype, according to a moderator on Skype's Windows support forum. "You may additionally need to check your approved programs that work with Skype," said the user identified as TheUberOverlord. "If you see something that looks strange REMOVE it," he added. The list of approved programs can be found under Tools/Options/Privacy/Related Tasks in Skype 3.0.

As of early Monday, detailed information from anti-virus vendors was scanty. Symantec, for instance, while listing Pykspa.d as a new threat, said in its write-up only that it is investigating. Several security companies, however, including Symantec, F-Secure Corp. and Kaspersky Lab Inc., have already updated their signature definitions to detect and delete the new malware.

Skype is only the latest IM client to feel the heat from hackers. Both Yahoo Messenger and Microsoft Corp.'s MSN/Live Messenger have been struck this summer. Exploit code designed to hijack Windows PCs running Yahoo Messenger appeared as early as June, and Yahoo has been forced to patch the IM client several times since. Microsoft, meanwhile, has scheduled fixes for its MSN Messenger and Windows Live Messenger software for Tuesday, presumably to quash a webcam bug that was disclosed late last month.