Skype malware spreading quickly

Trend micro has reported that a type of malware named Dorkbot dupes users of Skype into clicking on a link. The link, in turn, directs them to download a file which includes the malware. 

The link (which includes the user name of the recipient) goes to a file hosted at a legitimate file locker service. The file downloaded is a variant of the DORKBOT malware family, which is detected as WORM_DORKBOT.DN. 

This malware allows an attacker to take complete control of the user’s system. Its capabilities include password theft form various websites (including pornographic sites, social media, file lockers, and financial services), and launching distributed denial-of-service (DDOS) attacks. 

The behavior that a user may see can vary significantly. It also has the capability to download other malware depending on the link provided by the C&C servers, including ransomware and click fraud malware.

To spread via Skype, it downloads a separate component (detected as WORM_DORKBOT.IF). This component sends the same message to people in the user’s contact list, restarting the cycle all over again. WORM_DORKBOT.IF checks the system locale and sends the message, lol is this your new profile pic in a language depending on the user’s geolocation.

As Countermeasures Blog reported, Trend Micro has detected and blocked over 2,800 associated files in a span of 24 hours.

Trend Micro product users are actively protected from DORKBOT malware used in these attacks.