Worm.Win32.Skipi.a
From Total Malware Info
This is an Internet worm that spreads through Skype channels. It is a Windows PE EXE file. The file is 188 416 bytes. Written in C++.
Installation
With the purpose of masking malicious activity worm opens the following picture in image viewer (if it exists on infected machine):
%WinDir%\Soap Bubbles.bmp
Once launched, the Worm copies itself to the System Windows directory as:
%System%\wndrivs.exe %System%\mshtml32.exe %System%\sdrives32.exe %System%\winlgcver.exe
It then registers itself in the system registry (where %WormCopy% - same worm copy):
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Start Services" = "%WormCopy%" [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Windows Explorer" = "explorer.exe %WormCopy%" "Logon Data" = "%WormCopy%" [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] "Policies Settings" = ""
Also Worm creates following registry key:
[HKLM\Software\RMX\cfg]
Payload
Payload The worm extends the Skype-client. Worm uses special API-interface for managing this program from the outside. It sends the message to all addresses from contact-list in the skype-channel on behalf of the infected system. Worm forms the messages that contain various sequences of following lines:
hey how are u ? :) look your photos looks realy nice where I put ur photo :D I used photoshop and edited it look what crazy photo Tiffany sent to me... haha lol now u populr really funny you checked ? oops sorry please don't look there :S oh sry not for u u happy ? this (happy) sexy one what ur friend name wich is in photo ? labas esi? ziurek kur tavo foto imeciau :D kaip as taves noriu zek kur tavo foto metos isdergta cia tu isimetei ? cia biski su photoshopu pazaidziau bet... kas cia tavim taip isderge ? =]] patinka? geras ane ? matai :D as net nezinau ka tavo vietoj daryciau... :S pala biski
In messages the reference to an executable file of the Worm is underlined.
The snapshot from a chat of Skype-client, formed by the Worm, is given below:
[17:59:05] User says: how are u ? :) [17:59:22] User says: look what crazy photo Tiffany sent to me,looks cool [17:59:26] User says: http://www%InfectedURL%.jpg [17:59:37] User says: oops sorry please don't look there :S [17:59:40] User says: :)
For masking the Worm uses an icon of the document of the standard program for viewing images.
When a connection to the Internet is established, the Worm will open the following URL:
- http://www.****me.org/erotic-gallerys/usr5d8c/****jpg (At the moment of writing, this link was not working.);
- http://www.****space.net/erotic-gallerys/usr5d8c/****.scr ( 188 416 bytes, detected by Kaspersky Anti-Virus as Worm.Win32.Skipi.c)
Also the Worm extends by copying the file on USB-stores connected to an infected computer. The worm copies body in the root directory of USB-stores with following names:
game.exe zjbs.exe
Also the Worm (also in the root directory of the store) creates the file "autorun.inf", including following code:
[autorun] action=Windows Picture and Fax Viewer open=zjbs.exe icon=zjbs.exe
The Worm changes a following file:
%System %\drivers\etc\hosts
It changes routing on casual IP-addresses of references system to following domains with bases of anti-virus programs’ updates:
avast.com avp.com ca.com drweb.comeset.com f-secure.com symantec.com pandasoftware.com sophos.com mcafee.com kaspersky-labs.com kaspersky.ru symantecliveupdate.com viruslist.com networkassociates.com norman.com trendmicro.com nai.com grisoft.com esaugumas.lt virustotal.com windowsupdate.microsoft.com jotti.org bkav.com.vn bitdefender.com barracudanetworks.com free-av.com nod32-es.com my-etrust.com
Also the Worm finishes processes which names contain next lines:
53ARCH _AVP32 _AVPCC _AVPM ACKWIN32 ADAWARE ADVXDWIN AGENTSVR AGENTW ALERTSVC ALEVIR ALOGSERV AMON9X ANTI-TROJAN ANTIVIRUS APIMONITOR APLICA32 APORTS APVXDWIN ARMKILLER ATCON ATGUARD ATRO55EN ATUPDATER ATWATCH AUPDATE AUTODOWN AUTOTRACE AUTOUPDATE AVCONSOL AVE32 AVGCC32 AVGCTRL AVGNT AVGSERV AVGSERV9 AVGUARD AVKPOP AVKSERV AVKSERVICE AVKWCTl9 AVLTMAIN AVP32 AVPCC AVPDOS32 AVPTC32 AVPUPD AVSCHED32 AVSYNMGR AVWIN95 AVWINNT AVWUPD AVWUPD32 AVWUPSRV AVXMONITOR9X AVXMONITORNT AVXQUAR BACKWEB BARGAINS BD_PROFESSIONAL BEAGLE BIDEF BIDSERVER BIPCP BIPCPEVALSETUP BLACKD BLACKICE BOOTCONF BOOTWARN BORG2 BRASIL BS120 BUNDLE CCAPP CCEVTMGR CCPXYSVC CFGWIZ CFIADMIN CFIAUDIT CFINET CFINET32 Claw95 CLAW95CF CLEAN CLEANER CLEANER3 CLEANPC CLICK CLIENT CMD32 CMESYS CMGRDIAN CMON016 CONDOM CPF9X206 CPFNT206 CRACKER CWNB181 CWNTDWMO DATEMANAGER DCOMX DEFALERT DEFSCANGUI DEFWATCH DEPUTY DLLCACHE DLLREG DOORS DPFSETUP DPPS2 DRWATSON DRWEB32 DRWEBUPW DSSAGENT DVP95 DVP95_0 ECENGINE EFPEADM ESAFE ESCANH95 ESCANHNT ESCANV95 ESPWATCH ETHEREAL ETRUSTCIPE EXE.AVXW EXPERT EXPLORE F-AGNT95 F-AGOBOT F-PROT F-PROT95 F-STOPW FAMEH32 FCH32 FIH32 FINDVIRU FIREWALL FLOWPROTECTOR FNRB32 FP-WIN FP-WIN_TRIAL FPORT FPROT FRHED FSAV32 FSAV530STBYB FSAV530WTBYB FSAV95 FSGK32 FSM32 FSMA32 FSMB32 GATOR GBMENU GBPOLL GENERICS GUARD GUARDDOG HACKTRACERSETUP HBINST HBSRV HIJACKTHIS HONEYD HOTACTIO HOTPATCH HTLOG HTPATCH HXIUL IAMAPP IAMSERV IAMSTATS IBMASN IBMAVSP ICESWORD ICLOAD95 ICLOADNT ICMON ICSUPP95 ICSUPPNT IEDLL IEDRIVER IEXPLORER IFACE IFW2000 IISLOCKD INETLNFO INFUS INFWIN INTDEL INTREN IOMON98 IPARMOR ISASS ISRV95 ISTSVC JAMMER JDBGMRG KAVLITE40ENG KAVPERS40ENG KAVPF KAVSVC KAZZA KEENVALUE KERNEL32 LAUNCHER LDNETMON LDPRO LDPROMENU LDSCAN LNETINFO LOADER LOCALNET LOCKDOWN LOCKDOWN2000 LOGGER LOGVIEWER LOOKOUT LORDPE LSETUP LUALL LUCOMSERVER LUINIT LUSPT MAPISVC32 MCAGENT MCMNHDLR MCSHIELD MCTOOL MCUPDATE MCVSRTE MCVSSHLD MFIN32 MFW2EN MFWENG3.02D30 MGAVRTCL MGAVRTE MGHTML MINILOG MONITOR MOOLIVE MOSTAT MPFAGENT MPFSERVICE MPFTRAY MRFLUX MSAPP MSBLAST MSCACHE MSCCN32 MSCMAN MSCONFIG MSDOS MSIEXEC16 MSINFO32 MSLAUGH MSMGT MSMSGRI32 MSSMMC32 MSSYS MSVXD MU0311AD MWATCH N32SCANW NAVAP.NAVAPSVC NAVAPSVC NAVAPW32 NAVDX NAVLU32 NAVNT NAVSTUB NAVW32 NAVWNT NC2000 NCINST4 NDD32 NEOMONITOR NEOWATCHLOG NETARMOR NETD32 NETINFO NETMON NETSCANPRO NETSTAT NETUTILS NISSERV NISUM NMAIN NOD32 NOD32CC NOD32KRN NOD32KUI NOD32M2 NORMIST NOTSTART NPFMESSENGER NPROTECT NPSCHECK NPSSVC NSCHED32 NSSYS32 NSTASK32 NSUPDATE NTRTSCAN NTVDM NTXconfig NUPGRADE NVARCH16 NVC95 NVSVC32 NWINST4 NWSERVICE NWTOOL16 OLLYDBG ONSRVR OPTIMIZE OSTRONET OTFIX OUTPOST OUTPOSTINSTALL PADMIN PANIXK PATCH PAVCL PAVPROXY PAVSCHED PCC2002S902 PCC2K_76_1436 PCCIOMON PCCNTMON PCCWIN97 PCCWIN98 PCDSETUP PCFWALLICON PCIP10117_0 PCSCAN PDSETUP PEDASM PENIS PERISCOPE PERSFW PERSWF pexplorer PFWADMIN PGMONITR PINGSCAN PLATIN PMDUMP POP3TRAP POPROXY POPSCAN PORTDETECTIVE PORTMONITOR POWERSCAN PPINUPDT PPTBC PPVSTOP PRIZESURFER PRMVR PROCDUMP PROCESSMONITOR PROCEXP PROGRAMAUDITOR PROPORT PROTECTX PURGE PUSSY PVIEW95 QCONSOLE QSERVER RAPAPP RAV7WIN RAV8WIN32ENG RCSYNC REALMON REGCLEANER REGED REGEDIT REGEDT32 RERGCLEANR RESCUE RESCUE32 RRGUARD RSHELL RTVSCAN RTVSCN95 RULAUNCH RUN32DLL RUNDLL RUNDLL16 RUXDLL32 SAFEWEB SAHAGENT SAVENOW SBSERV SCAM32 SCAN32 SCAN95 SCANPM SCRSCAN SCRSVR SCVHOST SERV95 SERVICE SERVLCE SERVLCES SETUPVAMEEVAL SGSSFW32 SHELLSPYINSTALL SHOWBEHIND SMSS32 SPERM SPHINX SPOLER SPOOLCV SPOOLSV32 SPYXX SREXE SS3EDIT SSG_4104 SSGRATE START STCLOADER SUPFTRL SUPPORT SUPPORTER5 SVCHOSTC SVCHOSTS SVSHOST SWEEP95 SYMPROXYSVC SYMTRAY SYSEDIT SYSTEM SYSTEM32 SYSUPD TASKMG TASKMO TASKMON TAUMON TBSCAN TCPVIEW TDS-3 TDS2-98 TDS2-NT TEEKIDS TFAK5 TGBOB TITANIN TITANINXP TRACERT TRICKLER TRJSCAN TRJSETUP TROJANTRAP3 TSADBOT TVTMD UNDOBOOT UPDAT UPDATE UPGRAD UTPOST VBCMSERV VBCONS VBUST VBWIN9X VBWINNTW VCSETUP VET32 VET95 VETTRAY VFSETUP VIR-HELP VNLAN300 VNPC3000 VPC32 VPC42 VPFW30S VPTRAY VSCAN40 VSCENU6.02D30 VSCHED VSECOMR VSHWIN32 VSISETUP VSMAIN VSMON VSSTAT VSWIN9XE VSWINNTSE VSWINPERSE W32DSM89 WATCHDOG WEBDAV WEBSCANX WEBTRAP WFINDV32 WGFE95 WHOSWATCHINGME WIMMUN32 WIN-BUGSFIX WIN32 WIN32US WINACTIVE WINDBG WINDOW WINDOWS WINDUMP WININETD WININIT WININITX WINLOGIN WINMAIN WINNET WINPPR32 WINRECON WINSERVN WINSSK32 WINSTART WINSTART001 WINTSK32 WINUPDATE WKUFIND WRADMIN WRCTRL WSBGATE WUPDATER WUPDT XPF202EN ZAPRO ZAPSETUP3001 ZATUTOR ZONALM2601 ZONEALARM
The Worm launches the iexplore.exe process and injects its code into this process. Tries to finish following process:
wndrivs.exe mshtml32.exe sdrives32.exe winlgcver.exe
Worm-code, which injected into "Eplorer.exe" run this processes again.
Removal instructions
If your computer was not protected by anti-virus software and was infected by this malware program, to manually remove it please follow the instructions below:
- Reboot computer into "Safe Mode".
- Delete the original Worm file (its file name and location depends on the way the Worm originally penetrated the target computer).
- Delete following files:
%System%\wndrivs.exe %System%\mshtml32.exe %System%\sdrives32.exe %System%\winlgcver.exe
- Delete the registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Start Services" = "%WormCopy%" [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Windows Explorer" = "explorer.exe %WormCopy%" "Logon Data" = "%WormCopy%" [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run] "Policies Settings" = "" [HKLM\Software\RMX\cfg]
- Change the content of the following file:
%System %\drivers\etc\hosts
Delete all strings, which Worm added in this file. Original file contained following strings:
# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost
- To check up all USB-stores which were connected to the infected computer, on presence of following files in the root directory:
game.exe zjbs.exe autorun.inf
If such files exist, remove them. - Use Kaspersky Anti-Virus to delete the Worm. Update your antivirus databases and perform a full scan of the computer.
