Skype and Secondlife related virus!

[HoppytheWanderer]

It's pretty easy to get caught by something like this, because friends pass pictures to each other all the time on Skype and this looks like any other picture at casual glance.

A friend's hacked account sent this to me and I noticed it because the icon was different and windows reported the type as a scr (which is really an executable under the hood). Even the filename showed as .png, it was a pretty clever little trick.

Also for people relying on antivirus? I can tell you that mine didn't catch it, and when I uploaded to a tester site only about 25% of the engines picked it up. Would more have caught it once the payload was decrypted and it tried to go into memory? I dunno... maybe. I wasn't about to spin up a VM to test it because I wasn't that curious to find out what it did.

In any case, I sent the sample to the AV company so they can hopefully add it to their signatures soon.

 

[DigitaL Scribe]

 

The aging method of changing filenames to trick people on PCs has been around since 2002, it's not new and while it can be a bad experience for some, specially with windows hiding most known filetypes as standard, it also boils down to commonsense to prevent it and learn from it.

Portable network graphic (.png) files are not executable files but screen saver (.scr) are executable.

Skype warns all users of the dangers of accepting fails, even from friends, as soon as you click that's ok, continue, you're putting yourself in position to be infected.

Any decent Anti virus will detect this form of virii and that is regardless of filetype and that goes for the majority of free Anti virus programs out there, the tech savy amongst you can check the filetype hex below before executing.

 

• Hex: 4D 5A , ASCII: MZ

 

You can if you wish to be that little bit more cautious, disable the screensavers executable filetype or the png filetype via a group security policy such as software resrtriction policy which can be read intomore detail at http://www.mechbgon.com/srp/

 

But i'd suggest just getting an anti virus, there are lots of great free ones out there if your pocket is empty, to name a few...

 

AVG, Comodo, avast, baidu

 

[Madelaine McMasters]

.scr isn't executable on a Mac, and the default setting for execution of downloaded code on a Mac is to throw a warning dialog and require user (name/password) authentication to enable execution. So this type of malware is not a threat to Mac users.

But, if the following example works, this is a way to slip banned words into the forum...

‮!ekyD naV kciD yas nac ew won ,ooh ooW

[Innula Zenovka]

If I've properly understood this, shouldn't I start to smell a rat when I download this ,png file, try to open it, and, rather than seeing Picasa start to open, I get a warning message from Windows 7 that I'm trying to run an executable file downloaded from the internet (and probably that it wants to make changes to my PC, as well)?

 

[Perrie Juran]

---

DigitaL Scribe wrote:

 

<snip>

But i'd suggest just getting an anti virus, there are lots of great free ones out there if your pocket is empty, to name a few...

 

AVG, Comodo, avast, baidu

 

---

The Unicode Consortium actually has a published paper on this subject, Unicode Security Considerations.

 

I can't imagine any half way reputable AV ignoring their recommendations in section 2.6 about syntax spoofing.  Especially when it's been around this long.

[Perrie Juran]

---

Innula Zenovka wrote:

If I've properly understood this, shouldn't I start to smell a rat when I download this ,png file, try to open it, and, rather than seeing Picasa start to open, I get a warning message from Windows 7 that I'm trying to run an executable file downloaded from the internet (and probably that it wants to make changes to my PC, as well)?

 

---

It is pretty well established how much the prospect of seeing naked pictures of Anna Kournikova overrode people's better sense.

[Storm Clarence]

---

Madelaine McMasters wrote:

 

‮!ekyD naV kciD yas nac ew won ,ooh ooW

---

Woo hoo, can I now say Lillie!

PS  I was almost banned for writing that name.

[DigitaL Scribe]

 

Yes the intended victim in this virii is windows users not mac users and .scr is a screensaver executable.

Mac osx is basically unix in a skirt so it and linux distros would not be susceptable to this infection.

However this would not stop them passing it on to their friends who are windows users.

Most anti virus scan engines have heuristical methods and smart sandbox functions for this very type of file manipulation.

The best methods however is your own commonsense, be weary of random strangers sending you pictures, be weary of avatars coming on strong with no pre-emptive motives, examine links sent, ask them to put the picture in their profile or on a image host, examine avatar creation dates, scan file(s) if possible on multiple free available multiple virus engine scan sites online like the two below for example. 

http://www.virustotal.com

http://virusscan.jotti.org/en

[jujmental]

---

DigitaL Scribe wrote:be

weary

of random strangers sending you pictures, be

weary

of avatars coming on strong with no pre-emptive motives

---

I'm pretty tired of people who post hyperbolised scare messages about the same old online threats.

© The Judge

[jujmental]

---

DigitaL Scribe wrote:

 

Skype warns all users of the dangers of accepting fails

 

---

Failure is NOT an option!

© The Judge

[DigitaL Scribe]

 

Indeed my typing failed me there, "Fail" should have being "File", pardon the pun.

"I'm pretty tired of people who post hyperbolised scare messages about the same old online threats."

Yeah, we should bury our heads in the sand instead, right?

The OPs message was clear and can be seen as just a fellow community member giving awareness to a particular threat

it's always good to knew of a old or new threat once it's still active and been used on this platform and relevant.