Websense Security Labs - Trojan - Skype
October 2007 by Websense
Websense® Security Labs™ has discovered a new Trojan Horse / DNS redirector being distributed via email with URL lures. The email message is written in Spanish and presented in HTML. It attempts to lure users click on a link in order to download the business version of Skype.
If users click on the URL, they are directed to a site hosted on the Spanish version of Lycos. The site was up at the time of the alert. The site contains no exploit code, but has a Trojan Horse with the filename "skype.exe" with an MD5 of <80c954716eb2525b634a515ec785f03b>.
When the file runs, it modifies the Windows host file, and opens Internet Explorer to the Spanish version of the Skype Business Version download page. The modification the malware makes to the host file redirects visitors from www.banamex.com to a phishing website. At the time of testing, the file was not detected by anti-virus software.