Home / malware Worm:Win32/SkyDll.A
First posted on 13 March 2015.
Source: MicrosoftAliases :
There are no other names known for Worm:Win32/SkyDll.A.
Explanation :
Threat behavior
Installation
This malware creates the following file on your PC:
- %TEMP% RarSFX0\setup_BocaMonitor_142342492788145.exe
It creates the following registry entries:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
Sets value: "REG_DWORD"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
Sets value: "REG_DWORD"
With data: "0"
Spreads through...
Skype messages
This worm spreads by sending instant messages with malicious links through Skype. It checks if Skype is installed on your PC, and then sends the malicious messages to your contacts. We have seen it send the following message:
- lol!!!
video: http://popvideoskype.com/
Payload
Downloads malware components
This threat can download and run the following file:
- %APPDATA% \Roaming\SkypeFall.exe
This component is used to send malicious messages through Skype to spread the worm. It works as long as Skype is running on your PC.
Stops processes
This threat checks if your default web browser is Chrome or Opera. If so, it stops the processes.
Analysis by Mihai Calota
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
%TEMP%RarSFX0\setup_BocaMonitor_142342492788145.exe
- You see these entries or keys in your registry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
Sets value: "REG_DWORD"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
Sets value: "REG_DWORD"
With data: "0"
Last update 13 March 2015
