A type of worm that spreads on vulnerable Instant Messaging (IM) networks.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
IM-Worm:W32/Skipi.A is an IM-worm that spreads via the Instant Messaging application Skype Chat. It sends short text messages with URLs for two different websites. If the recipient follows the link, they are taken to a website where they are prompted to download a copy of the worm.After being run the worm displays an image, usually "Soap Bubbles" (this image is a standard wallpaper provided with the Windows operating system).
Once downloaded onto a computer, the worm drops the following copies of itself:
The worm then installs itself to the system and creates several startup keys for itself in the Registry:
It also creates the following registry key:
This malware terminates processes with the following names:
The worm also modifies the Windows HOSTS file in order to block access to anti-virus vendor sites. It modifies the HOSTS file in a way that when the user access an anti-virus site, it will be redirected to a random IP address. Here are the related antivirus sites:
This malware communicates with Skype using the API "SkypeControlAPIDiscover". When connected to Skype, it sets the status of the Skype User as DND or "Do not Disturb".It also sends messages to all of the Skype Contacts on the infected user's computer. Below are the possible messages:
It includes a link that points to any of the following URLs. The links below point to copies of the malware:
The worm copy located on these sites will usually have an SCR extension.The worm also copies itself to all available removable drives with the name of "game.exe". It also creates an autorun.inf file so that when the removable drive is accessed, the malware will run.
The worm attempts to check connectivity and may download a file from the following sites: