Skype worm spreads, using LOL trick to infect unwary users

SkypeSkype users are warned to be on their guard, regarding malicious instant messages that have been sent through the service, designed to infect Windows computers.

A malicious worm is taking advantage of the Skype API to spam out messages similar to the one below:

lol is this your new profile pic?[REDACTED]?img=[USERNAME]

Clicking on the suspicious links leads to the download of a ZIP files (variously called or that contains executable files detected by Sophos anti-virus products as Troj/Agent-YCW or Troj/Agent-YDC.

Sign up to our free newsletter.
Security news, advice, and tips.

The Trojan horse opens a backdoor, allowing a remote hacker to take control of infected PCs, communicating with a remote server via HTTP.

On execution the malware copies itself to

%PROFILE%Application DataJqfsfb.exe

and sets the autostart entry as below:

[sourcecode gutter=”false” wraplines=”false” toolbar=”false”] entry_location = "HKCUSoftwareMicrosoftWindowsCurrentVersionRun"
entry = "Jqfsfb"
description = "Skype "
publisher = "Skype Technologies S.A."
image = "c:documents and settingssupportapplication datajqfsfb.exe"
launch_string = "C:Documents and SettingssupportApplication DataJqfsfb.exe"

Before you know it, your passwords could have been stolen, your computer could be recruited into a botnet (the malware is a variant of the Dorkbot worm) and you could have fallen victim to a ransomware attack.

There have been many variants of the Dorkbot attack spotted over the least year or so, spreading via Facebook and Twitter. The threat can also spread via USB sticks, and various instant messaging protocols.

The danger is, of course, that Skype users may be less in the habit of being suspicious about links sent to them than, say, Facebook users.

Always remember to be suspicious of unsolicited out-of-character messages sent to you by your online friends.

You don’t know that it was a friend who sent you the message, all you know is that it was their account which posted it to you… and who knows if it was compromised or not?

Update: A Skype spokesperson contacted Naked Security to give us the following statement:

"Skype takes the user experience very seriously, particularly when it comes to security. We are aware of this malicious activity and are working quickly to mitigate its impact. We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links – even when from your contacts – that look strange or are unexpected is not advisable."

Thanks to Anna and Julie at SophosLabs for their assistance with this article.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.