F-Secure Malware Information Pages: IM-Worm:W32/Pykse.A

Main Index

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Centre » Descriptions

F-Secure Malware Information Pages: IM-Worm:W32/Pykse.A

[Summary] \| [Disinfection] \| [Detailed Description] \| [Detection]
Name :	IM-Worm:W32/Pykse.A
Alias:	Trojan.Downloader-5467, Worm.IM.Picse.A, IM-Worm.Win32.Pykse.a
Size:	179,328 Bytes
Type:	IM-Worm
Category:	Malware
Platform:	W32
Date of Discovery:	April 15, 2007

Radar

Summary

IM-Worm:W32/Pykse.A is an instant messaging worm that uses Skype's API to send messages with malicious URL links.

Back to the Top

Disinfection

Automatic Disinfection

Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or overwriting virus, a user can select disinfection action by themselves to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites:

http://www.f-secure.com/download-purchase/tools.shtml

ftp://ftp.f-secure.com/anti-virus/tools/

F-Secure Anti-Virus can be purchased from our web shop or from our authorized distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:

http://www.f-secure.com/download-purchase/

All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp site:

http://www.f-secure.com/download-purchase/updates.shtml

Manual Disinfection

It is not recommended to manually disinfect files and boot sectors from viruses as it can cause damage to a system and make it unbootable.

System Restore issue and file viruses

If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that, System Restore feature of these operating systems might save an infected file into the special folder and copies it back to a hard drive every time it has been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:

Windows ME:

http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:

http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration if any crash or incompatibility issue occurs in the future.

Back to the Top

Detailed Description

IM-Worm:W32/Pykse.A is an instant messaging worm that propagates through Skype. There is a weblog post on the matter.

Once IM-Worm:W32/Pykse.A has been executed, it will show a picture of a lightly dressed woman as below:

The image above has been blurred.

IM-Worm:W32/Pykse.A then drops the following files:

%sysdir%\Invisible002.dll - contains most of malicious code
%sysdir%\system32\Skype.exe

It adds the following auto start registry entry to enable its automatic execution upon boot up:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SkypeStartup = "%sysdir%\Skype.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SkypeStartup = "%sysdir%\Skype.exe"

It also adds the .DLL component as a BHO (Browser Helper Object) so that once the Internet browser is loaded, the malware is also loaded simultaneously.

IM-Worm:W32/Pykse.A creates the following key, to save some of its installation details:

HKCU\Software\SkypeWorm\cfg

It creates the following mutexes to signify each malicious routine. No duplicate mutex could be created to ensure that only these three mutexes are present in the memory at one particular time:

Skype Worm spreader mutex - Spreading routine
Skype Worm server mutex1 - Other routines
aaa111226 - Iexplore.exe injection

IM-Worm:W32/Pykse.A spreads via Skype by sending a message with a malware link to all online friends in Skype' contact list using Skype API.

The message is randomly chosen from the following list:

It sets the Skype user's status to DND (Do not Disturb) so that the user cannot be actively notified for incoming calls or messages.

It visits the following none malicious links:

http://aras.lookingat.us/index.htm
http://asilas.my-php.net/index.html
http://bobodada.3-hosting.net/index.html
http://bobos45.bebto.com/index.html
http://gogo442.hatesit.com/index.html
http://jackdaniels.110mb.com/index.html
http://timboss.1majorhost.com/index.html
http://zozole.php0h.com/index.html

Moreover the following site is also visited, probably a counter for the number of infected machines:

http://aras.allfreehost.net/c[REMOVED]nt.php

Back to the Top

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2007-04-16_01.

Back to the Top

F-Secure Corporation

Last Modified: April 16, 2007