Threat Descriptions

Trojan-Spy:W32/Skyper.B

Classification

Category :

Malware

Type :

Trojan-Spy

Platform :

W32

Aliases :

TSPY_SPEYK.A, Win32/Spy.Skyper.B, Trojan-Spy.Win32.Skyper.b, TR/Spy.Skyper.B, Trojan-PSW:W32/Agent.RJ

Summary

Skyper.B is a malware program that imitates Skype and attempts to steal sensitive information such as the user's Skype details and other username/password information stored in Internet Explorer.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Skyper.B attempts to disguise itself as a security plug-in called Skype Defender. It is packed with UPX 3.0 and it is written with Borland Delphi.Running the malware produces this dialog:

Once run, what looks like the Skype Logon screen is displayed:

Attempting to use the logon screen produces an error message:

Note that the real Skype's sign in button is different than the malware's:

The only functionality that this application has is the "Sign in" button.When the "Sign in" button is clicked, the malware attempts to transmit the username and password to a remote server located at [removed].rxfly.net. Skyper.B also attempts to collect username and password information from the Windows Protected Storage service.The sample itself does not install anything to the user's computer or add any Registry values. When closing the application, it disappears from the process list as would a normal application.The Skyper.B file contains an unused IP Address that points to a location somewhere in Russia. This secondary address was used by Skyper.A.Additionally, it doesn't have any automatic mechanisms to spread itself so it must be sent by its author via email, through a website, or even via IM (Instant Messengers) such as Yahoo, MSN, ICQ, and Skype.