Security firm MessageLabs has detected a new variant of the IRCbot Trojan
disguised as the latest release of the popular Skype VoIP software client version 1.4.
More than 150 copies of the IRCbot, also known as Fanbot that is distributed via e-mail, have already been blocked by MessageLabs researchers.
MessageLabs has put a “medium risk” rating on the threat.
The malicious code disguised as VoIP software client, version 1.4, which was
first released last month . If executed, it attaches a malware program that displays a
fake “installation error” box.
However, it is actually installing itself as sysdir%remote.exe, altering the registry and shutting down shared access
and Windows update services, according to MessageLabs researchers.
Maksym Schipka, a senior antivirus researcher at MessageLabs, said the
latest phishing attack is the first case the company had seen that
specifically mentions Skype.
“It is another clear example of how malware writers are quickly exploiting
newly identified security holes, as we saw with the Zotob attack, and now,
new releases of popular software applications, in order to try and spread
their malicious payloads,” he said in a statement.
The subject lines in which the code arrives has several variants including
“Hello. We’re Skype and we’ve got something we would like to share with…”
and “Skype for Windows 1.4 – Have you got the new Skype?”
Researchers are also investing whether there is a link between the Chinese
group believed to have created the IRCbot trojan and a group of Brazilian
and Persian hackers who are known to deface Web sites (their homepage is
evil.co.sr, which is a Suriname domain), according to MessageLabs.