IRCbot Trojan Spoofing Skype
Researchers discover new malware variant that teases with a fake Skype app.
Security firm MessageLabs has detected a new variant of the IRCbot Trojan disguised as the latest release of the popular Skype VoIP software client version 1.4.
More than 150 copies of the IRCbot, also known as Fanbot that is distributed via e-mail, have already been blocked by MessageLabs researchers.
MessageLabs has put a "medium risk" rating on the threat.
The malicious code disguised as VoIP software client, version 1.4, which was first released last month . If executed, it attaches a malware program that displays a fake "installation error" box.
However, it is actually installing itself as sysdir%remote.exe, altering the registry and shutting down shared access and Windows update services, according to MessageLabs researchers.
Maksym Schipka, a senior antivirus researcher at MessageLabs, said the latest phishing attack is the first case the company had seen that specifically mentions Skype.
"It is another clear example of how malware writers are quickly exploiting newly identified security holes, as we saw with the Zotob attack, and now, new releases of popular software applications, in order to try and spread their malicious payloads," he said in a statement.
The subject lines in which the code arrives has several variants including "Hello. We're Skype and we've got something we would like to share with..." and "Skype for Windows 1.4 - Have you got the new Skype?"
Researchers are also investing whether there is a link between the Chinese group believed to have created the IRCbot trojan and a group of Brazilian and Persian hackers who are known to deface Web sites (their homepage is evil.co.sr, which is a Suriname domain), according to MessageLabs.