- users receive messages via Skype Chat to download and run a file
- the filename is called sp.exe
- assuming the file is run it appears to drop and run a password stealing Trojan Horse
- the file also appears to run another set of code that uses Skype to propagate the original file
- the file is packed and has anti-debugging routines (NTKrnl Secure Suite packer)
- the file connects to a remote server for additional code
- the original site has been black holed and is not serving the code anymore
- the number of victims is still TBD
- the original infections appear to be in APAC region (Korea in particular)
More details will be published later today when we get more details.
Special thanks to the Shadow Server for research assistance.
SANS also has a blog about it.
No comments:
Post a Comment