Thursday, October 18, 2007

Skype plugin is malware

Skype is lately under attack again. Just recently, a worm affected Skype for Windows users and now a Skype Extra which claims to be a security tool tries to steal password (login) data. Villu Arak writes in Skype Heartbeat:

"404-SkypeDefenderSetup.exe is classified as an Infostealer, that is, a Trojan horse program that attempts to steal sensitive information such as login credentials.

When executed it displays a confirmation window with the following text, “Skype-Defender(TM) Installed! Please login to your account to apply new plugins”.

When the user clicks the OK button, the malware displays what looks like a Skype login screen, but which has a different-looking sign-in button.

When the user enters the Skype username and password, the malware displays a message saying that the name and password were unrecognized.

The malware collects the entered Skype username and password, as well as all usernames and passwords saved in Internet Explorer, and sends them over to a website that collects this stolen data.

To remove the malware, please update your anti-virus software. At this time, we have notified F-Secure, TrendMicro, Symantec, WebSense, and FaceTime Security Labs. For manual removal it is enough to delete the 65404-SkypeDefenderSetup.exe file. "

Personally, I love the game Extras but I would not download and install just any random plugins, also "SkypeDefender"sounds weird and if Skype has a defender program, it would probably have been published on the Skype blogs or in the Extras panel of Skype!

Technorati Tags: ,
Wanna discuss this post? Then do it in my forum! :)
No more ICQ Support? Get active! Complain now!


Ocean said...

This version display an alert box from skype telling me directly that I had changed my password already and needed to reenter my log in password and username to can open skipe who was already closed.. so its getting more vicious.
There was nothing about installing a program or anything, just clic on "ok" as alone option, for themessage telling that I had chnaged my password. i thought of a technical error. Then the rest is the same, a box open up for me to enter my user name and password, but... My user name was already written in it, so it looks real, and i had only to enter my password, which I did, and after it told me the password was wrong.
But.. even beter than that, i then went to skipe website and attempt to log in into my account, but couldnt do so. There too it displayed the exact same message telling me that my password was wrong, and so ii tried to clic on " forgotten your password" gave my email adress with my user name to can get a polet and then can log in skipe website, but i never received it so i tried again and then it told me that it was the wrong combination of email and username even it was the same, so i tried with my secondary email and it worked, did so several time as here too i never received any wmail orm skipe, and here i am talking about Skipe own website..
I send messages to support no answers.
I have as antivirus and troyan filter, the program Antivir Premium, and this company wasnt alerted abotu that skipe defender... big mistake.
i tried to search for the setup file 404 of skipe defender setup exe, with no results at all, i searched for all setup exe and that one wasnt to be found, so i cant remove it manually.
If any one could give some detailed informations as for how to remove it I will be very pleased.. Say where in the computer that will help, the entire file name.
I think this one is a new version of the new troyan, an advanced one.
There was no way to know that it was a malware. I thougth someone had already stolen access to my account or was trying to do so, so i urged to enter my login to can change my password ASAP.. but the damn thing was already there.
It apear as being an alert for security protection from Skipe, as a control that i am the one who have change my password. It seemed probable s only skipe got my IP adress and can connect my account with it and send me such a message as pop up window.
I imagine that if one of my contact was infected, then all in his contact list got the troyan directly send to them, just as virus and troyan work when getting through via emails.. the classical. Ecept that there is no "spam/virus fighter" for skipe..
I am choked to see that the problem has been around for so many days but that skipe didnt send a emergency notice to all users to limitate the epidemia.
And now it has mutated to somethign worse.
next time, dont forget to notify ANTIVIR they are damned good at founding anti troyan fast.

I would like someone to deepen the explainationa s for this malware ability to fish all password and user names stored in my internet explorer.
Does it include my bank account /net bank?
All entry to forums, and the alike?
I personally dont see what the hell they can do with all those info flushing in, as for whom at the other end has the capacity to sort them all out.
There is a note about it in the home site of Antivir dated of 3 days ago, so i had a filter for it on my machine already, meaning that one is a new one, and a more vicious one, as i received no alert.
This is the season of new Troyans! 20 entered my computer in the past 2 weeks, when I usualy have one each 2 years! Well its more like 3-4 different kind, reentering the system several times.
But that skipe one is a real nasty one.
Any info from others is welcome.

Nafcom said...


Thanks for your comment!
I guess you mean SKYPE.
Well, passwords and usernames can be used for free phone calls if the user has also SkypeOut credits on his account.

And yes, Skype forums logins are included since it's the same account. And bank account is not included, except if you enabled PayPal Approved.

The other questions I cannot answer since I have no idea about the detaiils of this trojan.

You can report trojans, viruses, etc to AntiVir directly at their dedicated email addess for this.

Hope this helps you at least a bit!

villa south of France said...

Some Windows users have been affected by a malware program that imitates Skype software and attempts to steal sensitive information. 65404-SkypeDefenderSetup.exe is classified as an Infostealer, that is, a Trojan horse program that attempts to steal sensitive information such as login credentials.

When executed it displays a confirmation window with the following text, “Skype-Defender(TM) Installed! Please login to your account to apply new plugins”.

be warned !

Nafcom said...

@ villa south of France: So there is a new one now? Thanks for that info, I hope it will help other users!