Home / malware Win32.IMWorm.Pykse.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.IMWorm.Pykse.B.
Explanation :
Pykse is a Skype worm. The main executable , copyies itself into the system directory with the name wsydrv32.exe. It then droppes a BHO in the same directory with the name msccfg1.dll. The internal name of that BHO is Invisible.dll
It creates a specific mutex (Skype Worm spreader mutex).
It then creates the following keys :
a) HKLMSoftwareMicrosoftWindowsCurrentVersionRun , value [System Driver] , that points to the copy of the main executable (usualy C:WindowsSystem32wsydrv32.exe )
b) HKCUSoftwareMicrosoftWindowsCurrentVersionRun , value [System Driver] , that points to the copy of the main executable (usualy C:WindowsSystem32wsydrv32.exe )
Those two keys ensure that the main executable is execute every time the computer is started.
c) HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrpwser Helper Object , value [Invisible] , that points to the BHO that the main executable dropts (usualy C:WindowsSystem32msccfg1.dll). Each time , iexplorer is started , this BHO is loaded.
The worm sends the following instant messages using Skype:
a) oi netau cia turejo but sory
b) netau cia
c) uj netau sry
d) (rofl)
e) (devil)
f) bet cia nesveikai
g) pz ane?
h) paziurek kokia foto andrius atsiunte
i) kaip tau tokia? :D
j) ziurek kur sandros foto imeciau
k) matei kur sandros foto idejo?
l) labas
It display a picture of a woman.
The worm sends different link that can download a new version of Pykse.
http://www.p[removed].ru/foto_galerija/sandra.jpg
http://www.p[removed].ru/lietuvaites/sandra.jpg
http://www.p[removed].ru/lietuvaites/sand.jpg
http://www.p[removed].ru/foto_galerija/sand.jpg
http://www.p[removed].ru/foto_galerija/sandra.jpg
This is actualy an executable file (not a jpeg image) that , once executed , installes the worm and then show the picture of a women.Last update 21 November 2011