Home / malwarePDF  

Spammer:VBS/Skypams.gen!B


First posted on 14 May 2013.
Source: Microsoft

Aliases :

Spammer:VBS/Skypams.gen!B is also known as IM-Worm.VBS.Skypper.i (Kaspersky), VBS/Skypespammer.A worm (ESET), VBS/Spam.Skypams.B.2 (Avira), IM-Worm.VBS.Skypper (Ikarus), SpamTool.VBS.Skypams (Ikarus), IM-Worm.VBS.Skypper.g (Kaspersky), IM-Worm.VBS.Skypper.b (Kaspersky).

Explanation :



Installation

Spammer:VBS/Skypams.gen!B can be installed by a drive-by download or by other malware already on your computer.

The spammer is saved in the %TEMP% folder. We have seen it saved as the following:

  • install_temp.vbs
  • readme.vbs
  • video-hack.vbs
  • instrukcia.vbs


It is then run using Windows Script Host (wscript.exe) and deleted.

Payload

Sends spam

Spammer:VBS/Skypams.gen!B includes a malicious script that is written in Visual Basic Scripting (.VBS), for example install_temp.vbs.

This script opens the Skype window and sends messages to your Skype contacts.

These messages usually include a link to other files and websites that may be malicious.

Examples of the message sent to the Skype friends of an infected computer include:

  • www.none.<removed> ;)
  • ako iska6 i ti da moje6 da gleda6 horata taka vlez tuk http://skrita-<removed>.hit.bg
  • WWW.COMLANE.<removed> ZE DEVS SHEDI DA GADMOCERE AU RA KAIA EXLA BEVRS GAUTEXAV
  • Tuk li si ? :) Svalih mn qki emotikonki (party) i sa nad 100 svalih si gi ot http://skype-emotikonii.<removed>.bg/ i ti mojesh da si gi svalish bezplatni sa (party) :) Probvai mn sa qki (rock)
  • vij kvo namerix http://www.spomennik.<removed>.bg
  • (hi) eii vij kvo namerix http://skypee-emoticons.<removed>.bg mn qki emoticoni svali gi i ti
  • http://lefanandsam.<removed>.ru/smilles.vbs
  • www.hacks.<removed>.am daregistrirdi raaa dz gtxov magari mchirdeba arakaci viyo
  • http://www.<removed>.TK Cool!(y)
  • Hi... vrei o progra prin care poti vedea prin videocamera orikarui prieten kare sta pe skype :D atunci descarc-o de aici http://md-<removed>.<removed>/videohack.rar
  • hi i am have good new to tell you Lineage2 server version interlude http://l<removed>optical.com/ pvp server have a nice game ^^
  • http://4All.<removed>.Am Powered By GiorGi6446
  • (drunk) (rock) (finger) (mooning) (bug) (poolparty) (bandit) http://morokos.ucoz.<removed>/load/0-0-0-8-20
  • Saitzea Kvelaperi Axsnili Ginda Shen Megobars Gautexo Skype Mashin Shemo http://toko.<removed>.su/skypehack Martla Mushaobs :)
  • Doresti sa Spionezi prientenul de pe Skype prin WEBcam fara ca el sa stie? Acum acesta e posibil !!! Fara minciuni !!! Citeste articolul: http://torrents-portal.com/<removed>-spion.phtml


Additional information

This spammer uses Skype4COM - a Windows-based COM DLL that acts as a wrapper between the text-based Skype desktop API and third party programs or applications.

There are more details about Skype4COM on the Skype developers forum.



Analysis by Patrik Vicol



Last update 14 May 2013

 

TOP

Malware :

Family: