Voice messaging service Skype is under attack from a malicious online worm that can infect users' PCs and destroy their documents if they click on a download link.


[Update] IBTimes UK has received the following statement from Skype, via a spokesperson from Waggener Edstrom:

"Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links - even when from your contacts - that look strange or are unexpected is not advisable."

[Original story]

"Dorkbot", as the worm is known, is a form of "ransomware", which infiltrates computers by posing as innocent links sent from Skype users' friends.

On an official Skype forum thread, users have reported receiving the message "lol is this your new profile pic" accompanied by a link which when opened downloads a .zip file containing the Dorkbot ransomware. Users then receive a pop-up on their desktop, warning that their files have been encrypted, and will be deleted if do not pay $200 within 48 hours.

Graham Cluley of Sophos Anti-Virus told Tech Crunch: "[It's like] kidnappers shooting hostages one by one, if their demands aren't met It's creepy, unpleasant behavior - and sadly becoming more common."

Rik Ferguson, of cyber security firm Trend Micro, also spoke out about the Dorkbot worm. In a blogpost on Trend Micro's official website, he described Dorkbot as spreading fast.

"Criminals are taking advantage of our post-weekend lassitude by starting a Skype-based campaign aimed at spreading malicious software," he wrote.

"Many users have reported receiving messages from friends in their Skype contact lists. So far, socially engineered messages have been seen in both English and German, saying either:

"lol is this your new profile pic? h__p://goo.gl/{BLOCKED}5q1sx?img=username


"moin, kaum zu glauben was für schöne fotos von dir auf deinem profil h__p://goo.gl/{BLOCKED}5q1sx?img=username.

"Regardless of the language used, the link is the same. The executable installs a variant of the Dorkbot worm (also known as NRGbot), which appears to initiate large scale click-fraud activity on each compromised machine as well as recruiting it into a botnet. The infection will subsequently install a ransomware variant locking the user out of their machine, informing them that their files have been encrypted and that they will be subsequently deleted unless the unfortunate victim surrenders a $200 fine within 48 hours.

"This malware is still under investigation and I expect to update the blog post with further information in the near future. Until then, please remember not to click on unexpected links."