Worm Spreads Itself Via Skype
The "w32/Ramex.A" worm is the latest release to remind Skype for Windows users that they need an antivirus update. Also, it's a good reminder no to click on every link sent via the software's IM application.
September 11, 2007
The worm uses Skype’s public Application Program Interface (API) to access the PC.
At first, users receive a chat message inviting them to click on a link supposed to lead to a .jpg image. The message can come from an unknown source or from one of the user's friends that already got infected.
As expected, the link leads to the virus file. Users who click the link will be asked to save or run a certain .scr file. Not accepting the file download is enough to keep the users safe. However, this might not be the case.
According to the Skype blog, F-Secure, Kaspersky Lab and Symantec have already updated their products and a simple scan will find and remove the “w32/Ramex.A” malware.
Also, the blog provides tech-wise users with simple instructions on how to remove the malware themselves:
- Restart the PC in safe mode
- Run regedit
- Go to HKLM/software/microsoft/windows/currentversion/runonce find entry with mshtmldat32.exe. Delete this entry.
- Go to Windows\System32 directory and delete following files: wndrivs32.exe, mshtmldat32.exe, winlgcvers.exe, sdrivew32.exe
- Go to windows/system32/drivers/etc
- Find file hosts
- Open it with notepad, ctrl+a and delete all entries (this will resume your antivirus updates), save, close.
- Restart the PC.