New ransomware spreads through malicious links in Skype IMs

A new malicious worm that spreads through Instant Messages (IMs) over Skype has been discovered. This worm manifests itself as yet another variation of ransomware and also unloads itself to generate a click fraud from the users’ machine.

The worm is a strain of the Dorkbot virus and it utilizes the notorious Blackhole security exploit kit. However, it can only be unloaded when a victim actively clicks on a link that is sent to them via a Skype IM. The attacker accomplishes this by sending an IM with a curiosity tickling message that reads “lol is this your new profile pic?”. This is followed by a shortened link that masks its real destination.

Once this link has been clicked a ZIP file gets downloaded on the machine which opens up a backdoor entry for the malicious worm to infect the system. This also allows a remote hacker to take total control of the machine to install a version of ransomware.

What happens when the worm enters a machine?

As with other strains of ransomware, this worm encrypts all the files on the machine and denies access to the user. It then displays a page that demands a payment of $200 within 48 hours and claims that all the encrypted files will be permanently deleted if the payment is not received through the specified channel.

The reason stated is that the user visited nefarious websites containing illegal MP3s, child pornographic content, illegal gambling centers or more. Furthermore, it threatens to send the information to a special department of the US Government via a program called ‘System Cleaner’. In order to remove such malware, a machine needs to be booted in Safe Mode and then scanned with the best virus protection software, as the case with the recent FBI Moneypak virus showed us.

The worm also activates a click fraud from the infected machine. It discreetly clicks on ads to generate revenue for the malware authors. It has been found that the worm activates around 2,000 clicks in a span of 10 minutes.

Skype acknowledged the presence of this threat and advised all users to immediately update to the latest version of the software across all the hardware that it is used on. Additionally, it is also recommended to update the security software installed on a machine. Quick Heal users should update to Quick Heal 2013 to remain safe from such malicious attacks.

Rahul Thadani

Rahul Thadani


Your email address will not be published.


  1. Thanks rahul