New worms appear to attack both Yahoo! Messenger, Skype

Just days after the worm spread through Yahoo! Messenger broke out, the Internet emerged a more sophisticated new worm targeting both Skype and Yahoo! Messenger .

The new worm, identified by Bkav antivirus software as W32.Skyhoo.Worm , still applies malicious link insertion into Ymfocard-like chat windows, but a much more sophisticated phishing scheme, the security department Bkis's network (Bkis Security) published on the company's blog.

New worms appear to attack both Yahoo! Messenger, Skype Picture 1
Messages with different content spread by the worm via Skype.

Each time the link contains malicious code, the worm sends different messages, for example ' Does my new hair style look good? bad? perfect? '( How does my new hairstyle look? Nice? Bad? Perfect? ), Or' My printer is about to be thrown through a window if this pic won't come our right. You see anything wrong with it? '( I will throw the printer out of the window if this picture doesn't come out immediately. Did you see anything wrong with this image? ) .

The above messages are easy to stimulate the recipient of the message and click on the exclusive link (as in the picture above), because their 'friends' need to be consulted. Besides, the link shows a file ending in .JPG, which makes the user think it is an image file.

If the recipient clicks on the link above, the browser immediately redirects to a website with a similar interface to Rapidshare, and a .zip file is required to download.

New worms appear to attack both Yahoo! Messenger, Skype Picture 2
The interface is similar to Rapidshare.

New worms appear to attack both Yahoo! Messenger, Skype Picture 3
A .zip file is required to download.

The extracted file is actually a virus. However, this file is disguised as an image file in .JPG format and .COM (executable file format) is cleverly masked, making the user think it is the .com extension of the domain ( where this file is hosted).

New worms appear to attack both Yahoo! Messenger, Skype Picture 4
The .COM tail is cleverly covered.

After analyzing this worm, Bkis' team thinks that the W32.Skyhoo.Worm worm has more complex features and operations than Ymfocard:

- Automatically terminate if the victim's computer does not install Skype and Yahoo! Messenger; automatically send messages with different content, containing malicious links to nick in Yahoo! Messenger, Skype of the user;

- Automatically insert malicious links into Word, Excel or composing emails;

- Connect to the IRC server to receive hacker control commands

- Block computer access to more than 700 security or anti-virus websites;

- Prevent antivirus software from working;

- Anti-virtual machine and sandbox;

- Using rootkit technology to hide files and worms' processes;

- Automatically copy itself with Autorun.inf file to USB drives for distribution.

Bkis recommends that users should be very careful before clicking on the received links, even from their relatives or friends and need to regularly update new versions of antivirus software on the computer.