NEWS FROM THE LAB - Monday, April 16, 2007

Another Skype Worm Posted by Francis @ 03:16 GMT

Yup! There is another Skype worm on the loose and our detection for it is IM-Worm:W32/Pykse.A. It spreads by sending a message with a malware link to all online friends in Skype's contact list using the Skype API.

The message is randomly chosen from the following list:

Skype message

Before sending the message, it will set the infected Skype user's status to DND (Do Not Disturb). As a side effect, it will not actively notify the user of calls or messages as shown in the warning message below:

Skype away

Once the link is clicked, it will redirect and download the malware file:

Skype download

Once you have downloaded and executed the file from the link, it will show you a picture of a lightly dressed woman, to avoid suspicion:

Skype girl

So what's the motive behind this worm?

It seems that it is promoting the following websites:


These websites all look the same. Here's a sample screenshot:

Skype link

The following site is also visited:


This is most probably a counter to find out how many users are infected. This could also be a way for the malware writer to quantify his profit. Who knows, malware nowadays are mostly driven and motivated financially.

Signing off Skype,