IM-Worm:W32/Skipi.A

Classification

Category :

Malware

Type :

IM-Worm

Aliases :

Worm.Win32.Skipi.A

Summary

A type of worm that spreads on vulnerable Instant Messaging (IM) networks.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

IM-Worm:W32/Skipi.A is an IM-worm that spreads via the Instant Messaging application Skype Chat. It sends short text messages with URLs for two different websites. If the recipient follows the link, they are taken to a website where they are prompted to download a copy of the worm.After being run the worm displays an image, usually "Soap Bubbles" (this image is a standard wallpaper provided with the Windows operating system).

Installation

Once downloaded onto a computer, the worm drops the following copies of itself:

  • %Windir%\system32\mshtmldat32.exe
  • %Windir%\system32\sdrivew32.exe
  • %Windir%\system32\winlgcvers.exe
  • %Windir%\system32\wndrivs32.exe

The worm then installs itself to the system and creates several startup keys for itself in the Registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Services Start" = "mshtmldat32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Windows Sys" = "explorer.exe mshtmldat32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ "Logon Settings" = "mshtmldat32.exe

It also creates the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\RMX\cfg

This malware terminates processes with the following names:

  • _AVP32
  • _AVPCC
  • _AVPM
  • 53ARCH
  • ACKWIN32
  • ADAWARE
  • ADVXDWIN
  • AGENTSVR
  • AGENTW
  • ALERTSVC
  • ALEVIR
  • ALOGSERV
  • AMON9X
  • ANTI-TROJAN
  • ANTIVIRUS
  • APIMONITOR
  • APLICA32
  • APORTS
  • APVXDWIN
  • ARMKILLER
  • ATCON
  • ATGUARD
  • ATRO55EN
  • ATUPDATER
  • ATWATCH
  • AUPDATE
  • AUTODOWN
  • AUTOTRACE
  • AUTOUPDATE
  • AVCONSOL
  • AVE32
  • AVGCC32
  • AVGCTRL
  • AVGNT
  • AVGSERV
  • AVGSERV9
  • AVGUARD
  • AVKPOP
  • AVKSERV
  • AVKSERVICE
  • AVKWCTl9
  • AVLTMAIN
  • AVP32
  • AVPCC
  • AVPDOS32
  • AVPTC32
  • AVPUPD
  • AVSCHED32
  • AVSYNMGR
  • AVWIN95
  • AVWINNT
  • AVWUPD
  • AVWUPD32
  • AVWUPSRV
  • AVXMONITOR9X
  • AVXMONITORNT
  • AVXQUAR
  • BACKWEB
  • BARGAINS
  • BD_PROFESSIONAL
  • BEAGLE
  • BIDEF
  • BIDSERVER
  • BIPCP
  • BIPCPEVALSETUP
  • BLACKD
  • BLACKICE
  • BOOTCONF
  • BOOTWARN
  • BORG2
  • BRASIL
  • BS120
  • BUNDLE
  • CCAPP
  • CCEVTMGR
  • CCPXYSVC
  • CFGWIZ
  • CFIADMIN
  • CFIAUDIT
  • CFINET
  • CFINET32
  • Claw95
  • CLAW95CF
  • CLEAN
  • CLEANER
  • CLEANER3
  • CLEANPC
  • CLICK
  • CLIENT
  • CMD32
  • CMESYS
  • CMGRDIAN
  • CMON016
  • CONDOM
  • CPF9X206
  • CPFNT206
  • CRACKER
  • CWNB181
  • CWNTDWMO
  • DATEMANAGER
  • DCOMX
  • DEFALERT
  • DEFSCANGUI
  • DEFWATCH
  • DEPUTY
  • DLLCACHE
  • DLLREG
  • DOORS
  • DPFSETUP
  • DPPS2
  • DRWATSON
  • DRWEB32
  • DRWEBUPW
  • DSSAGENT
  • DVP95
  • DVP95_0
  • ECENGINE
  • EFPEADM
  • ESAFE
  • ESCANH95
  • ESCANHNT
  • ESCANV95
  • ESPWATCH
  • ETHEREAL
  • ETRUSTCIPE
  • EXE.AVXW
  • EXPERT
  • EXPLORE
  • F-AGNT95
  • F-AGOBOT
  • FAMEH32
  • FCH32
  • FIH32
  • FINDVIRU
  • FIREWALL
  • FLOWPROTECTOR
  • FNRB32
  • FPORT
  • FPROT
  • F-PROT
  • F-PROT95
  • FP-WIN
  • FP-WIN_TRIAL
  • FRHED
  • FSAV32
  • FSAV530STBYB
  • FSAV530WTBYB
  • FSAV95
  • FSGK32
  • FSM32
  • FSMA32
  • FSMB32
  • F-STOPW
  • GATOR
  • GBMENU
  • GBPOLL
  • GENERICS
  • GUARD
  • GUARDDOG
  • HACKTRACERSETUP
  • HBINST
  • HBSRV
  • HIJACKTHIS
  • HONEYD
  • HOTACTIO
  • HOTPATCH
  • HTLOG
  • HTPATCH
  • HXIUL
  • IAMAPP
  • IAMSERV
  • IAMSTATS
  • IBMASN
  • IBMAVSP
  • ICESWORD
  • ICLOAD95
  • ICLOADNT
  • ICMON
  • ICSUPP95
  • ICSUPPNT
  • IEDLL
  • IEDRIVER
  • IEXPLORER
  • IFACE
  • IFW2000
  • IISLOCKD
  • INETLNFO
  • INFUS
  • INFWIN
  • INTDEL
  • INTREN
  • IOMON98
  • IPARMOR
  • ISASS
  • ISRV95
  • ISTSVC
  • JAMMER
  • JDBGMRG
  • KAVLITE40ENG
  • KAVPERS40ENG
  • KAVPF
  • KAVSVC
  • KAZZA
  • KEENVALUE
  • KERNEL32
  • LAUNCHER
  • LDNETMON
  • LDPRO
  • LDPROMENU
  • LDSCAN
  • LNETINFO
  • LOADER
  • LOCALNET
  • LOCKDOWN
  • LOCKDOWN2000
  • LOGGER
  • LOGVIEWER
  • LOOKOUT
  • LORDPE
  • LSETUP
  • LUALL
  • LUCOMSERVER
  • LUINIT
  • LUSPT
  • MAPISVC32
  • MCAGENT
  • MCMNHDLR
  • MCSHIELD
  • MCTOOL
  • MCUPDATE
  • MCVSRTE
  • MCVSSHLD
  • MFIN32
  • MFW2EN
  • MFWENG3.02D30
  • MGAVRTCL
  • MGAVRTE
  • MGHTML
  • MINILOG
  • MONITOR
  • MOOLIVE
  • MOSTAT
  • MPFAGENT
  • MPFSERVICE
  • MPFTRAY
  • MRFLUX
  • MSAPP
  • MSBLAST
  • MSCACHE
  • MSCCN32
  • MSCMAN
  • MSCONFIG
  • MSDOS
  • MSIEXEC16
  • MSINFO32
  • MSLAUGH
  • MSMGT
  • MSMSGRI32
  • MSSMMC32
  • MSSYS
  • MSVXD
  • MU0311AD
  • MWATCH
  • N32SCANW
  • NAVAP.NAVAPSVC
  • NAVAPSVC
  • NAVAPW32
  • NAVDX
  • NAVLU32
  • NAVNT
  • NAVSTUB
  • NAVW32
  • NAVWNT
  • NC2000
  • NCINST4
  • NDD32
  • NEOMONITOR
  • NEOWATCHLOG
  • NETARMOR
  • NETD32
  • NETINFO
  • NETMON
  • NETSCANPRO
  • NETSTAT
  • NETUTILS
  • NISSERV
  • NISUM
  • NMAIN
  • NOD32
  • NOD32CC
  • NOD32KRN
  • NOD32KUI
  • NOD32M2
  • NORMIST
  • NOTSTART
  • NPFMESSENGER
  • NPROTECT
  • NPSCHECK
  • NPSSVC
  • NSCHED32
  • NSSYS32
  • NSTASK32
  • NSUPDATE
  • NTRTSCAN
  • NTVDM
  • NTXconfig
  • NUPGRADE
  • NVARCH16
  • NVC95
  • NVSVC32
  • NWINST4
  • NWSERVICE
  • NWTOOL16
  • OLLYDBG
  • ONSRVR
  • OPTIMIZE
  • OSTRONET
  • OTFIX
  • OUTPOST
  • OUTPOSTINSTALL
  • PADMIN
  • PANIXK
  • PATCH
  • PAVCL
  • PAVPROXY
  • PAVSCHED
  • PCC2002S902
  • PCC2K_76_1436
  • PCCIOMON
  • PCCNTMON
  • PCCWIN97
  • PCCWIN98
  • PCDSETUP
  • PCFWALLICON
  • PCIP10117_0
  • PCSCAN
  • PDSETUP
  • PEDASM
  • PENIS
  • PERISCOPE
  • PERSFW
  • PERSWF
  • pexplorer
  • PFWADMIN
  • PGMONITR
  • PINGSCAN
  • PLATIN
  • PMDUMP
  • POP3TRAP
  • POPROXY
  • POPSCAN
  • PORTDETECTIVE
  • PORTMONITOR
  • POWERSCAN
  • PPINUPDT
  • PPTBC
  • PPVSTOP
  • PRIZESURFER
  • PRMVR
  • PROCDUMP
  • PROCESSMONITOR
  • PROCEXP
  • PROGRAMAUDITOR
  • PROPORT
  • PROTECTX
  • PURGE
  • PUSSY
  • PVIEW95
  • QCONSOLE
  • QSERVER
  • RAPAPP
  • RAV7WIN
  • RAV8WIN32ENG
  • RCSYNC
  • REALMON
  • REGCLEANER
  • REGED
  • REGEDIT
  • REGEDT32
  • RERGCLEANR
  • RESCUE
  • RESCUE32
  • RRGUARD
  • RSHELL
  • RTVSCAN
  • RTVSCN95
  • RULAUNCH
  • RUN32DLL
  • RUNDLL
  • RUNDLL16
  • RUXDLL32
  • SAFEWEB
  • SAHAGENT
  • SAVENOW
  • SBSERV
  • SCAM32
  • SCAN32
  • SCAN95
  • SCANPM
  • SCRSCAN
  • SCRSVR
  • SCVHOST
  • SERV95
  • SERVICE
  • SERVLCE
  • SERVLCES
  • SETUPVAMEEVAL
  • SGSSFW32
  • SHELLSPYINSTALL
  • SHOWBEHIND
  • SMSS32
  • SPERM
  • SPHINX
  • SPOLER
  • SPOOLCV
  • SPOOLSV32
  • SPYXX
  • SREXE
  • SS3EDIT
  • SSG_4104
  • SSGRATE
  • START
  • STCLOADER
  • SUPFTRL
  • SUPPORT
  • SUPPORTER5
  • SVCHOSTC
  • SVCHOSTS
  • SVSHOST
  • SWEEP95
  • SYMPROXYSVC
  • SYMTRAY
  • SYSEDIT
  • SYSTEM
  • SYSTEM32
  • SYSUPD
  • TASKMG
  • TASKMO
  • TASKMON
  • TAUMON
  • TBSCAN
  • TCPVIEW
  • TDS2-98
  • TDS2-NT
  • TDS-3
  • TEEKIDS
  • TFAK5
  • TGBOB
  • TITANIN
  • TITANINXP
  • TRACERT
  • TRICKLER
  • TRJSCAN
  • TRJSETUP
  • TROJANTRAP3
  • TSADBOT
  • TVTMD
  • UNDOBOOT
  • UPDAT
  • UPDATE
  • UPGRAD
  • UTPOST
  • VBCMSERV
  • VBCONS
  • VBUST
  • VBWIN9X
  • VBWINNTW
  • VCSETUP
  • VET32
  • VET95
  • VETTRAY
  • VFSETUP
  • VIR-HELP
  • VNLAN300
  • VNPC3000
  • VPC32
  • VPC42
  • VPFW30S
  • VPTRAY
  • VSCAN40
  • VSCENU6.02D30
  • VSCHED
  • VSECOMR
  • VSHWIN32
  • VSISETUP
  • VSMAIN
  • VSMON
  • VSSTAT
  • VSWIN9XE
  • VSWINNTSE
  • VSWINPERSE
  • W32DSM89
  • WATCHDOG
  • WEBDAV
  • WEBSCANX
  • WEBTRAP
  • WFINDV32
  • WGFE95
  • WHOSWATCHINGME
  • WIMMUN32
  • WIN32
  • WIN32US
  • WINACTIVE
  • WIN-BUGSFIX
  • WINDBG
  • WINDOW
  • WINDOWS
  • WINDUMP
  • WININETD
  • WININIT
  • WININITX
  • WINLOGIN
  • WINMAIN
  • WINNET
  • WINPPR32
  • WINRECON
  • WINSERVN
  • WINSSK32
  • WINSTART
  • WINSTART001
  • WINTSK32
  • WINUPDATE
  • WKUFIND
  • WRADMIN
  • WRCTRL
  • WSBGATE
  • WUPDATER
  • WUPDT
  • XPF202EN
  • ZAPRO
  • ZAPSETUP3001
  • ZATUTOR
  • ZONALM2601
  • ZONEALARM

The worm also modifies the Windows HOSTS file in order to block access to anti-virus vendor sites. It modifies the HOSTS file in a way that when the user access an anti-virus site, it will be redirected to a random IP address. Here are the related antivirus sites:

  • antivirus.esaugumas.lt
  • aonealarm.com
  • avast.com
  • avp.com
  • barracudanetworks.com
  • bitdefender.com
  • bkav.com.vn
  • ca.com
  • dispatch.mcafee.com
  • drweb.com
  • esaugumas.lt
  • esecurity.lt
  • eset.com
  • free-av.com
  • f-secure.com
  • grisoft.com
  • kaspersky.com
  • kaspersky.ru
  • kaspersky-labs.com
  • mast.mcafee.com
  • mcafee.com
  • microsoft.com
  • my-etrust.com
  • nai.com
  • networkassociates.com
  • nod32.com
  • nod32.datsec.de
  • nod32.de
  • nod32.it
  • nod32.nl
  • nod32-es.com
  • norman.com
  • pandasecurity.com
  • pandasoftware.com
  • sandbox.norman.com
  • sophos.com
  • symantec.com
  • symantecliveupdate.com
  • trendmicro.com
  • viruslist.com
  • virusscan.jotti.org
  • virustotal.com
  • windowsupdate.microsoft.com
  • www.free-av.com

Propagation

This malware communicates with Skype using the API "SkypeControlAPIDiscover". When connected to Skype, it sets the status of the Skype User as DND or "Do not Disturb".It also sends messages to all of the Skype Contacts on the infected user's computer. Below are the possible messages:

  • (devil)
  • (happy)
  • (mm) kaip as taves noriu
  • (rofl)
  • as net nezinau ka tavo vietoj daryciau.
  • cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D
  • cia tu isimetei ?
  • geras ane ?
  • haha lol
  • how are u ? :)
  • I used photoshop and edited it
  • kas cia tavim taip isderge ? =]]
  • labas
  • look what crazy photo Tiffany sent to me,looks cool
  • matai :D
  • now u populr
  • oh sry not for u
  • oops sorry please don't look there :S
  • pala biski
  • patinka?
  • really funny
  • this (happy) sexy one
  • u happy ?
  • what ur friend name wich is in photo ?
  • where I put ur photo :D
  • you checked ?
  • your photos looks realy nice
  • zek kur tavo foto metos isdergta
  • ziurek kur tavo foto imeciau :D

It includes a link that points to any of the following URLs. The links below point to copies of the malware:

  • https://www.fakme.org/erotic-gallerys/usr5d8c/[removed]
  • https://www.myimagespace.net/erotic-gallerys/usr5d8c/[removed]

The worm copy located on these sites will usually have an SCR extension.The worm also copies itself to all available removable drives with the name of "game.exe". It also creates an autorun.inf file so that when the removable drive is accessed, the malware will run.

Payload

The worm attempts to check connectivity and may download a file from the following sites:

  • ragai.myartsonline.com
  • bedclip.com
  • 4444mb.com
  • www.gamesforum.com/[removed].php?u=13699
  • sdgfg.alladultmale.com
  • www.freewebs.com/kole123a/[removed].htm
  • members.lycos.co.uk/kale77a/[removed].htm
  • forum.ragezone.com/members/superkliper9999/[removed].htm
  • fdfddf.attorney-site.com
  • asdfdgfg.mylawsite.net
  • kupralana77.110mb.com
  • www.kale45.php0h.com
  • kale99.blog.co.uk
  • ttyy.lookingat.us
  • trrrr.cpa-site.com
  • zopa.110mb.com