Home / malware Trojan-Spy:W32/Skyper.B
First posted on 22 October 2007.
Source: SecurityHomeAliases :
Trojan-Spy:W32/Skyper.B is also known as TSPY_SPEYK.A, Win32/Spy.Skyper.B, Trojan-Spy.Win32.Skyper.b, TR/Spy.Skyper.B, Trojan-PSW:W32/Agent.RJ.
Explanation :
Skyper.B is a malware program that imitates Skype and attempts to steal sensitive information such as the user's Skype details and other username/password information stored in Internet Explorer.
Running the malware produces this dialog:
Once run, what looks like the Skype Logon screen is displayed:
Attempting to use the logon screen produces an error message:
Note that the real Skype's sign in button is different than the malware's:
The only functionality that this application has is the "Sign in" button.
When the "Sign in" button is clicked, the malware attempts to transmit the username and password to a remote server located at [removed].rxfly.net. Skyper.B also attempts to collect username and password information from the Windows Protected Storage service.
The sample itself does not install anything to the user's computer or add any Registry values. When closing the application, it disappears from the process list as would a normal application.
The Skyper.B file contains an unused IP Address that points to a location somewhere in Russia. This secondary address was used by Skyper.A.
Additionally, it doesn't have any automatic mechanisms to spread itself so it must be sent by its author via e-mail, through a website, or even via IM (Instant Messengers) such as Yahoo, MSN, ICQ, and Skype.
Last update 22 October 2007