With Skype gaining popularity in the VoIP-IM space, it has become an attractive target for malware authors. Very recently we had blogged about the W32/Pykse.worm which used Skype for spreading.

Today we came across a new trojan - PWS-Pykse which attempts to steal Skype usernames and passwords. This trojan purports itself as a “Skype-Defender” plug-in for Skype. It displays a fake login window to trick the user into entering the login credentials:

The PWS-Pykse trojan does not spread by itself. It relies on social engineering techniques to trick the victim into executing it and is usually posted onto dodgy sites or forums. Upon execution, this trojan kills any running instance of Skype and displays a fake login window of Skype. It then captures the username and password entered by the victim, and posts it via http to the trojan author’s website.

An alert Skype user would notice that it looks very different from the normal Skype login window – especially since none of the hyperlinks or options displayed are functional! McAfee users are protected against this threat with the 5143 dat onwards.