Skype's the limit

The W32/Pykse-C worm (also known as Ramex, Skipi or Pykspa) is spreading via Skype's chat system in a variety of languages, including English, Russian and Lithuanian, says Brett Myroff, CEO of Netxactics.

Recipients of the instant messages are invited to click on a link to what they believe will be a .JPG picture, but is in fact a downloadable executable.

"The latest incident is not the first time that Skype has raised questions for system administrators tasked with securing their networks," he explains.

"Instant messaging is becoming a weak spot for companies. The fact that Skype also contains an instant messaging component raises concerns for system administrators, as it is potentially an avenue for data leakage as well as malware infestation," Myroff says.

"More and more, companies are setting a policy as to what instant messaging client is to be used in the business, and whether it can be used for communicating with the outside world."

Last week's malware line-up included a number of Trojans and network worms. Troj/Desdie-A, a spyware Trojan for the Windows platform, aims to steal information and download code from the Internet.

It attempts to connect to a remote location using FTP, and then downloads and executes two files to the following locations: C:\mspass.exe and C:\pspv.exe.

"These are used to steal information from the infected computer, save it to a specified location and then upload it to the remote location," explains Myroff.

W32/IRCBot-XV, a spyware worm, spreads via network shares and chat programs. While stealing information and downloading code from the Internet, it also records a user's keystrokes, installs itself in the registry, exploits system or software vulnerabilities and scans the network for vulnerabilities.

Also showing up on the radar screen last week was the W32/IRCBot-XV worm, which has backdoor functionality that allows a remote intruder to gain access and control over the computer via IRC channels. "It spreads to other network computers by exploiting common buffer overflow vulnerabilities. The worm may also spread via network shares and MSSQL servers protected by weak passwords," Myroff says.

W32/IRCBot-XV has been ordered to spread via MSN and includes functionality to:

* Check to see if the bot is running under VPC, VMWare or Anubis;

* Set up an FTP server;

* Set up a proxy server;

* Spread via MSN Instant Messenger by sending messages automatically;

* Port scan;

* Packet sniff;

* Start a remote shell (RLOGIN);

* Access the Internet and communicate with a remote server via HTTP; and

* Harvest information from clipboard.

W32/Rbot-GTC, another network worm, spreads via network shares and can allow others to access the computer, install itself in the registry and exploit system or software vulnerabilities.

Its aliases include Backdoor.Win32.Rbot.buy, Worm/Gaobot.1104511, W32/Backdoor.AEVB, W32/Sdbot.worm, BKDR_Generic and Trojan:Win32/Ircbrute!9CF1.

W32/Rbot-GTC is a network worm for the Windows platform.

Two further Trojan horses have also been noted: Troj/DNSChan-LZ and Troj/Agent-GCM.

When first run, Troj/DNSChan-LZ copies itself to <System>\kdjjz.exe. The following registry entry is changed to run kdjjz.exe on start-up:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

System

kdjjz.exe

When Troj/Agent-GCM is installed, it copies itself to <System>\NSecurity.exe., creating a number of registry entries to run NSecurity.exe on start-up.