Skyper.B attempts to disguise itself as a security plug-in called Skype Defender. It is packed with UPX 3.0 and it is written with Borland Delphi.Running the malware produces this dialog:
Once run, what looks like the Skype Logon screen is displayed:
Attempting to use the logon screen produces an error message:
Note that the real Skype's sign in button is different than the malware's:
The only functionality that this application has is the "Sign in" button.When the "Sign in" button is clicked, the malware attempts to transmit the username and password to a remote server located at [removed].rxfly.net. Skyper.B also attempts to collect username and password information from the Windows Protected Storage service.The sample itself does not install anything to the user's computer or add any Registry values. When closing the application, it disappears from the process list as would a normal application.The Skyper.B file contains an unused IP Address that points to a location somewhere in Russia. This secondary address was used by Skyper.A.Additionally, it doesn't have any automatic mechanisms to spread itself so it must be sent by its author via email, through a website, or even via IM (Instant Messengers) such as Yahoo, MSN, ICQ, and Skype.