Home / malware IM-Worm:W32/Skipi.A
First posted on 12 September 2007.
Source: SecurityHomeAliases :
IM-Worm:W32/Skipi.A is also known as Worm.Win32.Skipi.A.
Explanation :
IM-Worm:W32/Skipi.A is an Instant Messaging worm that spreads via Skype Chat.
It sends short text messages with URLs for two different websites. After redirection, the recipient is prompted to download a copy of the worm with an .SCR extension.
It drops the following copies of itself:
- %Windir%system32mshtmldat32.exe
- %Windir%system32sdrivew32.exe
- %Windir%system32winlgcvers.exe
- %Windir%system32wndrivs32.exe
The worm then installs itself to the system and creates several startup keys for itself in the Registry:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
"Services Start" = "mshtmldat32.exe" - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
"Windows Sys" = "explorer.exe mshtmldat32.exe" - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
"Logon Settings" = "mshtmldat32.exe
It also creates the following registry key:
- HKEY_LOCAL_MACHINESOFTWARERMXcfg
This malware terminates processes with the following names:
- _AVP32
- _AVPCC
- _AVPM
- 53ARCH
- ACKWIN32
- ADAWARE
- ADVXDWIN
- AGENTSVR
- AGENTW
- ALERTSVC
- ALEVIR
- ALOGSERV
- AMON9X
- ANTI-TROJAN
- ANTIVIRUS
- APIMONITOR
- APLICA32
- APORTS
- APVXDWIN
- ARMKILLER
- ATCON
- ATGUARD
- ATRO55EN
- ATUPDATER
- ATWATCH
- AUPDATE
- AUTODOWN
- AUTOTRACE
- AUTOUPDATE
- AVCONSOL
- AVE32
- AVGCC32
- AVGCTRL
- AVGNT
- AVGSERV
- AVGSERV9
- AVGUARD
- AVKPOP
- AVKSERV
- AVKSERVICE
- AVKWCTl9
- AVLTMAIN
- AVP32
- AVPCC
- AVPDOS32
- AVPTC32
- AVPUPD
- AVSCHED32
- AVSYNMGR
- AVWIN95
- AVWINNT
- AVWUPD
- AVWUPD32
- AVWUPSRV
- AVXMONITOR9X
- AVXMONITORNT
- AVXQUAR
- BACKWEB
- BARGAINS
- BD_PROFESSIONAL
- BEAGLE
- BIDEF
- BIDSERVER
- BIPCP
- BIPCPEVALSETUP
- BLACKD
- BLACKICE
- BOOTCONF
- BOOTWARN
- BORG2
- BRASIL
- BS120
- BUNDLE
- CCAPP
- CCEVTMGR
- CCPXYSVC
- CFGWIZ
- CFIADMIN
- CFIAUDIT
- CFINET
- CFINET32
- Claw95
- CLAW95CF
- CLEAN
- CLEANER
- CLEANER3
- CLEANPC
- CLICK
- CLIENT
- CMD32
- CMESYS
- CMGRDIAN
- CMON016
- CONDOM
- CPF9X206
- CPFNT206
- CRACKER
- CWNB181
- CWNTDWMO
- DATEMANAGER
- DCOMX
- DEFALERT
- DEFSCANGUI
- DEFWATCH
- DEPUTY
- DLLCACHE
- DLLREG
- DOORS
- DPFSETUP
- DPPS2
- DRWATSON
- DRWEB32
- DRWEBUPW
- DSSAGENT
- DVP95
- DVP95_0
- ECENGINE
- EFPEADM
- ESAFE
- ESCANH95
- ESCANHNT
- ESCANV95
- ESPWATCH
- ETHEREAL
- ETRUSTCIPE
- EXE.AVXW
- EXPERT
- EXPLORE
- F-AGNT95
- F-AGOBOT
- FAMEH32
- FCH32
- FIH32
- FINDVIRU
- FIREWALL
- FLOWPROTECTOR
- FNRB32
- FPORT
- FPROT
- F-PROT
- F-PROT95
- FP-WIN
- FP-WIN_TRIAL
- FRHED
- FSAV32
- FSAV530STBYB
- FSAV530WTBYB
- FSAV95
- FSGK32
- FSM32
- FSMA32
- FSMB32
- F-STOPW
- GATOR
- GBMENU
- GBPOLL
- GENERICS
- GUARD
- GUARDDOG
- HACKTRACERSETUP
- HBINST
- HBSRV
- HIJACKTHIS
- HONEYD
- HOTACTIO
- HOTPATCH
- HTLOG
- HTPATCH
- HXIUL
- IAMAPP
- IAMSERV
- IAMSTATS
- IBMASN
- IBMAVSP
- ICESWORD
- ICLOAD95
- ICLOADNT
- ICMON
- ICSUPP95
- ICSUPPNT
- IEDLL
- IEDRIVER
- IEXPLORER
- IFACE
- IFW2000
- IISLOCKD
- INETLNFO
- INFUS
- INFWIN
- INTDEL
- INTREN
- IOMON98
- IPARMOR
- ISASS
- ISRV95
- ISTSVC
- JAMMER
- JDBGMRG
- KAVLITE40ENG
- KAVPERS40ENG
- KAVPF
- KAVSVC
- KAZZA
- KEENVALUE
- KERNEL32
- LAUNCHER
- LDNETMON
- LDPRO
- LDPROMENU
- LDSCAN
- LNETINFO
- LOADER
- LOCALNET
- LOCKDOWN
- LOCKDOWN2000
- LOGGER
- LOGVIEWER
- LOOKOUT
- LORDPE
- LSETUP
- LUALL
- LUCOMSERVER
- LUINIT
- LUSPT
- MAPISVC32
- MCAGENT
- MCMNHDLR
- MCSHIELD
- MCTOOL
- MCUPDATE
- MCVSRTE
- MCVSSHLD
- MFIN32
- MFW2EN
- MFWENG3.02D30
- MGAVRTCL
- MGAVRTE
- MGHTML
- MINILOG
- MONITOR
- MOOLIVE
- MOSTAT
- MPFAGENT
- MPFSERVICE
- MPFTRAY
- MRFLUX
- MSAPP
- MSBLAST
- MSCACHE
- MSCCN32
- MSCMAN
- MSCONFIG
- MSDOS
- MSIEXEC16
- MSINFO32
- MSLAUGH
- MSMGT
- MSMSGRI32
- MSSMMC32
- MSSYS
- MSVXD
- MU0311AD
- MWATCH
- N32SCANW
- NAVAP.NAVAPSVC
- NAVAPSVC
- NAVAPW32
- NAVDX
- NAVLU32
- NAVNT
- NAVSTUB
- NAVW32
- NAVWNT
- NC2000
- NCINST4
- NDD32
- NEOMONITOR
- NEOWATCHLOG
- NETARMOR
- NETD32
- NETINFO
- NETMON
- NETSCANPRO
- NETSTAT
- NETUTILS
- NISSERV
- NISUM
- NMAIN
- NOD32
- NOD32CC
- NOD32KRN
- NOD32KUI
- NOD32M2
- NORMIST
- NOTSTART
- NPFMESSENGER
- NPROTECT
- NPSCHECK
- NPSSVC
- NSCHED32
- NSSYS32
- NSTASK32
- NSUPDATE
- NTRTSCAN
- NTVDM
- NTXconfig
- NUPGRADE
- NVARCH16
- NVC95
- NVSVC32
- NWINST4
- NWSERVICE
- NWTOOL16
- OLLYDBG
- ONSRVR
- OPTIMIZE
- OSTRONET
- OTFIX
- OUTPOST
- OUTPOSTINSTALL
- PADMIN
- PANIXK
- PATCH
- PAVCL
- PAVPROXY
- PAVSCHED
- PCC2002S902
- PCC2K_76_1436
- PCCIOMON
- PCCNTMON
- PCCWIN97
- PCCWIN98
- PCDSETUP
- PCFWALLICON
- PCIP10117_0
- PCSCAN
- PDSETUP
- PEDASM
- PENIS
- PERISCOPE
- PERSFW
- PERSWF
- pexplorer
- PFWADMIN
- PGMONITR
- PINGSCAN
- PLATIN
- PMDUMP
- POP3TRAP
- POPROXY
- POPSCAN
- PORTDETECTIVE
- PORTMONITOR
- POWERSCAN
- PPINUPDT
- PPTBC
- PPVSTOP
- PRIZESURFER
- PRMVR
- PROCDUMP
- PROCESSMONITOR
- PROCEXP
- PROGRAMAUDITOR
- PROPORT
- PROTECTX
- PURGE
- PUSSY
- PVIEW95
- QCONSOLE
- QSERVER
- RAPAPP
- RAV7WIN
- RAV8WIN32ENG
- RCSYNC
- REALMON
- REGCLEANER
- REGED
- REGEDIT
- REGEDT32
- RERGCLEANR
- RESCUE
- RESCUE32
- RRGUARD
- RSHELL
- RTVSCAN
- RTVSCN95
- RULAUNCH
- RUN32DLL
- RUNDLL
- RUNDLL16
- RUXDLL32
- SAFEWEB
- SAHAGENT
- SAVENOW
- SBSERV
- SCAM32
- SCAN32
- SCAN95
- SCANPM
- SCRSCAN
- SCRSVR
- SCVHOST
- SERV95
- SERVICE
- SERVLCE
- SERVLCES
- SETUPVAMEEVAL
- SGSSFW32
- SHELLSPYINSTALL
- SHOWBEHIND
- SMSS32
- SPERM
- SPHINX
- SPOLER
- SPOOLCV
- SPOOLSV32
- SPYXX
- SREXE
- SS3EDIT
- SSG_4104
- SSGRATE
- START
- STCLOADER
- SUPFTRL
- SUPPORT
- SUPPORTER5
- SVCHOSTC
- SVCHOSTS
- SVSHOST
- SWEEP95
- SYMPROXYSVC
- SYMTRAY
- SYSEDIT
- SYSTEM
- SYSTEM32
- SYSUPD
- TASKMG
- TASKMO
- TASKMON
- TAUMON
- TBSCAN
- TCPVIEW
- TDS2-98
- TDS2-NT
- TDS-3
- TEEKIDS
- TFAK5
- TGBOB
- TITANIN
- TITANINXP
- TRACERT
- TRICKLER
- TRJSCAN
- TRJSETUP
- TROJANTRAP3
- TSADBOT
- TVTMD
- UNDOBOOT
- UPDAT
- UPDATE
- UPGRAD
- UTPOST
- VBCMSERV
- VBCONS
- VBUST
- VBWIN9X
- VBWINNTW
- VCSETUP
- VET32
- VET95
- VETTRAY
- VFSETUP
- VIR-HELP
- VNLAN300
- VNPC3000
- VPC32
- VPC42
- VPFW30S
- VPTRAY
- VSCAN40
- VSCENU6.02D30
- VSCHED
- VSECOMR
- VSHWIN32
- VSISETUP
- VSMAIN
- VSMON
- VSSTAT
- VSWIN9XE
- VSWINNTSE
- VSWINPERSE
- W32DSM89
- WATCHDOG
- WEBDAV
- WEBSCANX
- WEBTRAP
- WFINDV32
- WGFE95
- WHOSWATCHINGME
- WIMMUN32
- WIN32
- WIN32US
- WINACTIVE
- WIN-BUGSFIX
- WINDBG
- WINDOW
- WINDOWS
- WINDUMP
- WININETD
- WININIT
- WININITX
- WINLOGIN
- WINMAIN
- WINNET
- WINPPR32
- WINRECON
- WINSERVN
- WINSSK32
- WINSTART
- WINSTART001
- WINTSK32
- WINUPDATE
- WKUFIND
- WRADMIN
- WRCTRL
- WSBGATE
- WUPDATER
- WUPDT
- XPF202EN
- ZAPRO
- ZAPSETUP3001
- ZATUTOR
- ZONALM2601
- ZONEALARM
This malware communicates with Skype using the API "SkypeControlAPIDiscover". When properly communicated with Skype, it sets the status of the Skype User as DND or "Do not Disturb". It also sends messages to all of the Skype Contacts on the infected user's computer. Below are the possible messages in Skype Chat:
- (devil)
- (happy)
- (mm) kaip as taves noriu
- (rofl)
- as net nezinau ka tavo vietoj daryciau.
- cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D
- cia tu isimetei ?
- geras ane ?
- haha lol
- how are u ? :)
- I used photoshop and edited it
- kas cia tavim taip isderge ? =]]
- labas
- look what crazy photo Tiffany sent to me,looks cool
- matai :D
- now u populr
- oh sry not for u
- oops sorry please don't look there :S
- pala biski
- patinka?
- really funny
- this (happy) sexy one
- u happy ?
- what ur friend name wich is in photo ?
- where I put ur photo :D
- you checked ?
- your photos looks realy nice
- zek kur tavo foto metos isdergta
- ziurek kur tavo foto imeciau :D
It includes a link that points to any of the following URLs. The links below point to copies of the malware:
- http://www.fakme.org/erotic-gallerys/usr5d8c/[removed]
- http://www.myimagespace.net/erotic-gallerys/usr5d8c/[removed]
The worm also modifies the Windows HOSTS file in order to block access to anti-virus vendor sites. It modifies the HOSTS file in a way that when the user access an anti-virus site, it will be redirected to a random IP address.
Here are the related antivirus sites:
- antivirus.esaugumas.lt
- aonealarm.com
- avast.com
- avp.com
- barracudanetworks.com
- bitdefender.com
- bkav.com.vn
- ca.com
- dispatch.mcafee.com
- drweb.com
- esaugumas.lt
- esecurity.lt
- eset.com
- free-av.com
- f-secure.com
- grisoft.com
- kaspersky.com
- kaspersky.ru
- kaspersky-labs.com
- mast.mcafee.com
- mcafee.com
- microsoft.com
- my-etrust.com
- nai.com
- networkassociates.com
- nod32.com
- nod32.datsec.de
- nod32.de
- nod32.it
- nod32.nl
- nod32-es.com
- norman.com
- pandasecurity.com
- pandasoftware.com
- sandbox.norman.com
- sophos.com
- symantec.com
- symantecliveupdate.com
- trendmicro.com
- viruslist.com
- virusscan.jotti.org
- virustotal.com
- windowsupdate.microsoft.com
- www.free-av.com
It also attempts to check connectivity and to possibly download a file from the following sites:
- ragai.myartsonline.com
- bedclip.com
- 4444mb.com
- www.gamesforum.com/[removed].php?u=13699
- sdgfg.alladultmale.com
- www.freewebs.com/kole123a/[removed].htm
- members.lycos.co.uk/kale77a/[removed].htm
- forum.ragezone.com/members/superkliper9999/[removed].htm
- fdfddf.attorney-site.com
- asdfdgfg.mylawsite.net
- kupralana77.110mb.com
- www.kale45.php0h.com
- kale99.blog.co.uk
- ttyy.lookingat.us
- trrrr.cpa-site.com
- zopa.110mb.com
The worm also copies itself to all available removable drives with the name of "game.exe". It also creates an autorun.inf so that when the removable drive is accessed, the malware will run.
Last update 12 September 2007