IM-Worm:W32/Pykse.A
| Name : | IM-Worm:W32/Pykse.A |
| Size: | 179,328 Bytes |
| Category: | Malware |
| Type: | IM-Worm |
| Platform: | W32 |
| Date of Discovery: | April 15, 2007 |
Summary
IM-Worm:W32/Pykse.A is an instant messaging worm that uses Skype's API to send messages with malicious URL links.
Disinfection
Automatic Disinfection
Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or overwriting virus, a user can select disinfection action by themselves to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites:
http://www.f-secure.com/download-purchase/tools.shtml
ftp://ftp.f-secure.com/anti-virus/tools/
F-Secure Anti-Virus can be purchased from our web shop or from our authorized distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:
http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp site:
http://www.f-secure.com/download-purchase/updates.shtml
Manual Disinfection
It is not recommended to manually disinfect files and boot sectors from viruses as it can cause damage to a system and make it unbootable.
System Restore issue and file viruses
If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that, System Restore feature of these operating systems might save an infected file into the special folder and copies it back to a hard drive every time it has been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:
Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml
Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml
It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration if any crash or incompatibility issue occurs in the future.
Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or overwriting virus, a user can select disinfection action by themselves to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites:
http://www.f-secure.com/download-purchase/tools.shtml
ftp://ftp.f-secure.com/anti-virus/tools/
F-Secure Anti-Virus can be purchased from our web shop or from our authorized distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:
http://www.f-secure.com/download-purchase/
All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp site:
http://www.f-secure.com/download-purchase/updates.shtml
Manual Disinfection
It is not recommended to manually disinfect files and boot sectors from viruses as it can cause damage to a system and make it unbootable.
System Restore issue and file viruses
If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that, System Restore feature of these operating systems might save an infected file into the special folder and copies it back to a hard drive every time it has been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here:
Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml
Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml
It is recommended to re-enable System Restore after disinfection in order to restore stable system configuration if any crash or incompatibility issue occurs in the future.
Additional Details
IM-Worm:W32/Pykse.A is an instant messaging worm that propagates through Skype. There is a weblog post on the matter.
Once IM-Worm:W32/Pykse.A has been executed, it will show a picture of a lightly dressed woman as below:
The image above has been blurred.
IM-Worm:W32/Pykse.A then drops the following files:
It adds the following auto start registry entry to enable its automatic execution upon boot up:
It also adds the .DLL component as a BHO (Browser Helper Object) so that once the Internet browser is loaded, the malware is also loaded simultaneously.
IM-Worm:W32/Pykse.A creates the following key, to save some of its installation details:
It creates the following mutexes to signify each malicious routine. No duplicate mutex could be created to ensure that only these three mutexes are present in the memory at one particular time:
IM-Worm:W32/Pykse.A spreads via Skype by sending a message with a malware link to all online friends in Skype' contact list using Skype API.
The message is randomly chosen from the following list:
It sets the Skype user's status to DND (Do not Disturb) so that the user cannot be actively notified for incoming calls or messages.
It visits the following none malicious links:
Moreover the following site is also visited, probably a counter for the number of infected machines:
Once IM-Worm:W32/Pykse.A has been executed, it will show a picture of a lightly dressed woman as below:
The image above has been blurred.
IM-Worm:W32/Pykse.A then drops the following files:
• %sysdir%\Invisible002.dll - contains most of malicious code
• %sysdir%\system32\Skype.exe
It adds the following auto start registry entry to enable its automatic execution upon boot up:
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SkypeStartup = "%sysdir%\Skype.exe"
SkypeStartup = "%sysdir%\Skype.exe"
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SkypeStartup = "%sysdir%\Skype.exe"
SkypeStartup = "%sysdir%\Skype.exe"
It also adds the .DLL component as a BHO (Browser Helper Object) so that once the Internet browser is loaded, the malware is also loaded simultaneously.
IM-Worm:W32/Pykse.A creates the following key, to save some of its installation details:
• HKCU\Software\SkypeWorm\cfg
It creates the following mutexes to signify each malicious routine. No duplicate mutex could be created to ensure that only these three mutexes are present in the memory at one particular time:
• Skype Worm spreader mutex - Spreading routine
• Skype Worm server mutex1 - Other routines
• aaa111226 - Iexplore.exe injection
IM-Worm:W32/Pykse.A spreads via Skype by sending a message with a malware link to all online friends in Skype' contact list using Skype API.
The message is randomly chosen from the following list:
It sets the Skype user's status to DND (Do not Disturb) so that the user cannot be actively notified for incoming calls or messages.
It visits the following none malicious links:
• http://aras.lookingat.us/index.htm
• http://asilas.my-php.net/index.html
• http://bobodada.3-hosting.net/index.html
• http://bobos45.bebto.com/index.html
• http://gogo442.hatesit.com/index.html
• http://jackdaniels.110mb.com/index.html
• http://timboss.1majorhost.com/index.html
• http://zozole.php0h.com/index.html
Moreover the following site is also visited, probably a counter for the number of infected machines:
• http://aras.allfreehost.net/c[REMOVED]nt.php
Detection
F-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2007-04-16_01.