BEWARE! New Skype Worm Spreads Fast

Windows Security : BEWARE! New Skype Worm Spreads Fast

Posted by Max on 2007/9/11 13:12:40 (859 reads)

A new computer virus called W32/Ramex.A W32/Skipi.A. or W32.Pykspa.D, is massively attacking users of Skype for Windows. Users whose computers are infected with this malware will send a chat message to other Skype users asking them to click on a malicious web link that can infect the computer of the person who receives the message.

Please note that Skype users ONLY become infected after they have downloaded the link and run the malicious software. The chat message, of which there are several versions, is cleverly written and may appear to be a legitimate chat message, which may fool some users into clicking on the link.

Skype has been in contact with the leading antivirus software companies about this worm, and we know that they are updating their software to effectively stop this worm and as well as its side effects. Currently, F-Secure, Kaspersky Lab and Symantec have already updated their antivirus products to detect and remove the worm.

We would like to encourage our users to ensure that they are running anti-virus software on their computers and to download the latest anti-virus updates in order to provide the best protection against this and other viruses.

Here’s a more detailed look at the situation for those who understand techier talk:

When a Skype user receives the chat message — either from their Skype contacts or users not on their contact list — it includes an internet link. Instead of a .jpg image that it seems to point to, the link actually leads to a virus file. By clicking on the link, the Windows Run/Save dialog box will pop up, asking for permission to save or run a .scr file. This is the virus file and should not be downloaded or run.

If the user accepts the file, however, their Windows PC will be infected with the w32/Ramex.A virus. The worm uses Skype’s public Application Program Interface (API) to access the PC.

There are two ways to get rid of the worm: the normal way and the techhead way. Most users should NOT attempt to edit their computer’s registry manually. For most people, downloading and/or updating their anti-virus software, and scanning their computer to detect and remove the worm, is the way to go.

Expert users — and only expert users — who know what they’re doing can also remove the worm manually.

Restart the PC in safe mode
Run regedit
Go to HKLM/software/microsoft/windows/currentversion/runonce find entry with mshtmldat32.exe. Delete this entry.
Go to Windows\System32 directory and delete following files: wndrivs32.exe, mshtmldat32.exe, winlgcvers.exe, sdrivew32.exe
Go to windows/system32/drivers/etc
Find file hosts
Open it with notepad, ctrl+a and delete all entries (this will resume your antivirus updates), save, close.
Restart the PC.

Previous article - Next article

Other articles
2008/8/21 15:52:01 - BitRoll and Torrent101 Used to Distribute the Lop Adware
2008/8/20 15:06:33 - FRAUDFacts Helps You Fight Identity Theft and Fraud for Life
2008/8/13 16:42:03 - 10 Million Zombies Are Spreading Spam and Malware Every Day
2008/8/11 9:03:35 - Nearly $8.5 Billion Lost by US Consumers because of Online Threats
2008/8/8 6:35:36 - EDS' Eight Tips for Consumers to Protect Themselves from Identity Theft

The comments are owned by the poster. We aren't responsible for their content.