Warnings late Monday and very early Tuesday claimed that a worm was propagating across Skype -- one of the most popular voice-over-IP applications -- and infecting systems with a password-stealing Trojan horse. Tuesday, for example, Symantec issued an alert to customers of its DeepSight threat management service that a worm it dubbed "Chatosky" was spreading in the Asia Pacific region, including South Korea.
"The code isn't a worm," says Dan Hubbard, VP of research at security vendor Websense. "It relies on the end user to acknowledge a binary through the API, which is normal behavior in Skype." In addition, the threat does not make copies of itself.
"It's not exploiting a vulnerability," adds Hubbard.
Websense was among the first to post an alert about a possible Skype worm. However, after talking with the Skype security team, which is based in Estonia, Hubbard says he had reclassified the threat as a Trojan horse. "A user with Skype will get a message to download a program from a URL included in a chat message," says Hubbard. "If they click on that, a program runs in the background, then injects itself into the Explorer process. It looks like the Trojan is designed to grab forms and passwords from the browser."