(updated at 16.30 GMT, added Symantec reference) (update at 17.15 GMT: FSecure now calls the virus W32/Skipi.A. Symantec has named it W32.Pykspa.D.) (update at 9 am GMT on Sep. 11: Our security team is actively engaging with domain owners to shut down malicious websites that are being used to spread the virus.) - - - - - The new week has started with a bang. And not the kind of bang we like. Skype has learned that a computer virus called “w32/Ramex.A” is affecting users of Skype for Windows. Users whose computers are infected with this virus will send a chat message to other Skype users asking them to click on a web link that can infect the computer of the person who receives the message. Please note that Skype users ONLY become infected after they have downloaded the link and run the malicious software. The chat message, of which there are several versions, is cleverly written and may appear to be a legitimate chat message, which may fool some users into clicking on the link. Skype has been in contact with the leading antivirus software companies about this worm, and we know that they are updating their software to effectively stop this worm and as well as its side effects. Currently, F-Secure, Kaspersky Lab and Symantec have already updated their antivirus products to detect and remove the worm. We would like to encourage our users to ensure that they are running anti-virus software on their computers and to download the latest anti-virus updates in order to provide the best protection against this and other viruses. Here's a more detailed look at the situation for those who understand techier talk: When a Skype user receives the chat message -- either from their Skype contacts or users not on their contact list -- it includes an internet link. Instead of a .jpg image that it seems to point to, the link actually leads to a virus file. By clicking on the link, the Windows Run/Save dialog box will pop up, asking for permission to save or run a .scr file. This is the virus file and should not be downloaded or run. If the user accepts the file, however, their Windows PC will be infected with the w32/Ramex.A virus. The worm uses Skype's public Application Program Interface (API) to access the PC. There are two ways to get rid of the worm: the normal way and the techhead way. Most users should NOT attempt to edit their computer's registry manually. For most people, downloading and/or updating their anti-virus software, and scanning their computer to detect and remove the worm, is the way to go. Expert users -- and only expert users -- who know what they're doing can also remove the worm manually. 1. Restart the PC in safe mode 2. Run regedit 3. Go to HKLM/software/microsoft/windows/currentversion/runonce find entry with mshtmldat32.exe. Delete this entry. 4. Go to Windows\System32 directory and delete following files: wndrivs32.exe, mshtmldat32.exe, winlgcvers.exe, sdrivew32.exe 5. Go to windows/system32/drivers/etc 6. Find file hosts 7. Open it with notepad, ctrl+a and delete all entries (this will resume your antivirus updates), save, close. 8. Restart the PC. Wishing you a virus-free week.