Dell SonicWALL Threats Research team came across a new variant of the Dorkbot worm specifically targeting Skype users. Dorkbot also known as Ngrbot is known to spread through instant messengers, social networking websites, and removable drives. However, this is the first instance we saw that targets Skype users as well by hooking to Skype APIs.
The malware executable is named as Skype_(Date)_(img or foto).exe and uses Skype's official icons for disguise as seen below:
Infection Cycle
Statistics of clicks registered for the shortened malicious URL (courtesy Google) shows that it has received more than 200,000 visits in past one month:
It also contains a hardcoded command and control IP address: 188.40.15.29 that it connects on TCP port 1863 if the above mentioned domains fail to resolve.
It utilizes the Ruskill feature to install these downloaded malware files, which is known to keep track of system file and registry changes. The Ruskill feature also ensures that these files are removed upon system reboot.
Dell SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:
Share This Article
An Article By
An Article By
Security News
Security News