Skype users targeted by ransomware worm

Posted by Emma Woollacott

Security researchers are warning of a new Skype worm, spreading through instant messages in English and German to infect users with the Dorkbot ransomware.

The messages are a variant on: "lol is this your new profile pic? http://goo.gl/[REDACTED]?img=[USERNAME]" or "moin, kaum zu glauben was für schöne fotos von dir auf deinem profil h__p://goo.gl/{BLOCKED}5q1sx?img=username".

Clicking on them downloads a ZIP file containing executable files identified by Sophos as Troj/Agent-YCW or Troj/Agent-YDC. These open a backdoor, allowing a remote hacker to take control of infected PCs, communicating with a remote server via HTTP.

"On installation, this worm appears to initiate large scale click-fraud activity on each compromised machine, recruiting it into a botnet," says Trend Micro's Rik Ferguson.

"The infection will subsequently install a ransomware variant locking the user out of their machine, informing them that their files have been encrypted and that they will be subsequently deleted unless the unfortunate victim surrenders a $200 fine within 48 hours."

Dorkbot has been widespread over the last year or so on Facebook and twitter, and can also be spread via USB sticks and various instant messaging protocols.

"The danger is, of course, that Skype users may be less in the habit of being suspicious about links sent to them than, say, Facebook users," says Graham Clueley of Sophos.