Threat Description

Trojan-Spy: W32/Skyper.B

Details

Category: Malware
Type: Trojan-Spy
Platform: W32
Aliases: TSPY_SPEYK.A, Win32/Spy.Skyper.B, Trojan-Spy.Win32.Skyper.b, TR/Spy.Skyper.B, Trojan-PSW:W32/Agent.RJ

Summary


Skyper.B is a malware program that imitates Skype and attempts to steal sensitive information such as the user's Skype details and other username/password information stored in Internet Explorer.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Skyper.B attempts to disguise itself as a security plug-in called Skype Defender. It is packed with UPX 3.0 and it is written with Borland Delphi.Running the malware produces this dialog:

Once run, what looks like the Skype Logon screen is displayed:

Attempting to use the logon screen produces an error message:

Note that the real Skype's sign in button is different than the malware's:

The only functionality that this application has is the "Sign in" button.When the "Sign in" button is clicked, the malware attempts to transmit the username and password to a remote server located at [removed].rxfly.net. Skyper.B also attempts to collect username and password information from the Windows Protected Storage service.The sample itself does not install anything to the user's computer or add any Registry values. When closing the application, it disappears from the process list as would a normal application.The Skyper.B file contains an unused IP Address that points to a location somewhere in Russia. This secondary address was used by Skyper.A.Additionally, it doesn't have any automatic mechanisms to spread itself so it must be sent by its author via e-mail, through a website, or even via IM (Instant Messengers) such as Yahoo, MSN, ICQ, and Skype.



Detection


F-Secure Anti-Virus detects this malware with the following updates:

Detection Type: PC
Database: 2007-10-16_01



Description Created: 2007-10-17 14:50:56.0

Description Last Modified: 2007-10-17 17:25:32.0


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More