Last year, McAfee Avert Labs had predicted an increase in malware targeting VOIP particularly Skype, given the APIs of Skype are well documented in their SDK. With Skype becoming increasingly popular, it is an attractive target for malware authors.

The W32/Stration family of worms which started out as a mass mailing family, later used IM with reasonable success to spread. And Skype was the first IM protocol to be targeted by this worm, followed by MSN and ICQ.

As predicted earlier, McAfee Avert Labs has recently received multiple submissions of the W32/Pykse.worm.b spreading via Skype. This worm uses clever social engineering to spread via Skype chat messages.

Upon execution on the victim’s machine, it launches the “soap bubbles.bmp” from the default windows directory to deceive user to believe that it is an image file.

Bubbles

In the meantime, the worm changes the status of Skype to “Do Not Disturb” and starts sending messages to everyone in the Skype’s contacts list, without the user’s knowledge. One of the messages sent, will be a URL pointing to a copy of the worm. The following screenshot shows chat the messages used as bait by this worm.

Chat messages sent by the worm

This worm can also prevent security related tools and programs from being launched and modifies the hosts file to prevent access to Antivirus websites.

Following image shows the APIs used by the worm to spread using Skype.

Skype APIs used by the worm

More information on this threat can be viewed at our virus information library.
http://vil.nai.com/vil/content/v_143083.htm