GO TO: Summary | Removal | Technical Details
A type of worm that spreads on vulnerable Instant Messaging (IM) networks.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Find the latest advice in our Community Knowledge Base.
See the user guide for your product on the Help Center.
Chat with or call an expert for help.
Submit a file or URL for further analysis.
IM-Worm:W32/Skipi.A is an IM-worm that spreads via the Instant Messaging application Skype Chat. It sends short text messages with URLs for two different websites. If the recipient follows the link, they are taken to a website where they are prompted to download a copy of the worm.After being run the worm displays an image, usually "Soap Bubbles" (this image is a standard wallpaper provided with the Windows operating system).
Once downloaded onto a computer, the worm drops the following copies of itself:
The worm then installs itself to the system and creates several startup keys for itself in the Registry:
It also creates the following registry key:
This malware terminates processes with the following names:
The worm also modifies the Windows HOSTS file in order to block access to anti-virus vendor sites. It modifies the HOSTS file in a way that when the user access an anti-virus site, it will be redirected to a random IP address. Here are the related antivirus sites:
This malware communicates with Skype using the API "SkypeControlAPIDiscover". When connected to Skype, it sets the status of the Skype User as DND or "Do not Disturb".It also sends messages to all of the Skype Contacts on the infected user's computer. Below are the possible messages:
It includes a link that points to any of the following URLs. The links below point to copies of the malware:
The worm copy located on these sites will usually have an SCR extension.The worm also copies itself to all available removable drives with the name of "game.exe". It also creates an autorun.inf file so that when the removable drive is accessed, the malware will run.
The worm attempts to check connectivity and may download a file from the following sites: