Worm Attack on Skype and Yahoo IM via instant messages: Symantec and BKIS report

Security researchers at Symantec and BKIS report worms hitting users of Yahoo Messenger and Skype via malicious instant messages. Security researchers have reported a new wave of attacks targeting users of Yahoo Messenger and Skype.

BKIS (Bach Khoa Internetwork Security) researchers on May 7 informed that the attack comes via messages which  urges the users to see a pic  and that  kind of message contain malicious links.

According to the Blog post of BKIS “The users are more easily tricked into clicking the link by these messages, because users tend to think that ‘their friend(s)’ are asking for [advice],” said the”Moreover, the URL shows a .jpg file to users, reinforcing the users’ thought of an image file.”

BKIS’ discovery is not restricted to this only it also follows the appearance of another worm targeting Yahoo Messenger that was reported earlier this week.

“The page at the end of the link is basic and does not employ any exploits in order to install the worm, it relies solely social engineering to trick victims into believing they are opening a picture from a friend, while in fact they run the worm,” explained Symantec researcher Mircea Ciubotariu May 2.

Once executed, “the worm copies itself to %WinDir%\infocard.exe, then it adds itself to the Windows Firewall List, blocks the Windows Updates service and sets the following registry value so that it runs whenever the system boots: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”Firewall Administrating” = “%WinDir%\infocard.exe,” Ciubotariu wrote.

With that done, the worm then goes itself out to everyone on the victim’s Yahoo Messenger contact list, and may also download and execute other malicious files.

According to BKIS, the other worm has “more complicated functions.” Among other things, it “automatically sends messages with different contents containing malicious URLs to user names in [the] Skype [or] Yahoo Messenger friend list of the user” and “uses rootkit technique to hide its files and processes.” The malware also “blocks operations of antivirus software” and “copies itself along with file Autorun.inf into USB drives to spread.”

“Once again, we would recommend [that] IM users … be careful before clicking any links received, even from your friends or relatives,” BKIS said. Also, “Users should regularly update their antivirus [software] on their computers.”