Skype Trojan or Virus on the loose?

I just recieved a Skype PM with a link to what apears to be a jpg from a trusted source (dsc027.jpg), with the wording along the lines of (I removed part of the links):

[02:11:52] NAME SAYS: hey
[02:11:53] NAME SAYS: how are u ? :)
[02:12:03] NAME SAYS: your photos looks realy nice
[02:12:05] NAME SAYS: look what crazy photo Tiffany sent to me,looks cool
[02:12:06] NAME SAYS: http://www.myimagespace.net/erotic-gallerys/usr5d8c/

[02:12:08] NAME SAYS: really funny
[02:12:11] NAME SAYS: http://www.fakme.org/erotic-gallerys/usr5d8c/
[02:12:16] NAME SAYS: (rofl)
[02:12:18] NAME SAYS: what ur friend name wich is in photo ?
[02:12:21] NAME SAYS: (devil)

[20:01:52] NAME SAYS: hey
[20:02:05] NAME SAYS: where I put ur photo
[20:02:10] NAME SAYS: http://www.fakme.org/erotic-gallerys/usr5d8c/
[20:02:20] NAME SAYS: what ur friend name wich is in photo ?
[20:02:23] NAME SAYS: (rofl)

[20:51:45] NAME SAYS: hey
[20:51:46] NAME SAYS: how are u ?
[20:52:00] NAME SAYS: where I put ur photo
[20:52:02] NAME SAYS: haha lol
[20:52:05] NAME SAYS: http://www.fakme.org/erotic-gallerys/usr5d8c/

[20:35:43] NAME SAYS: where I put ur photo
[20:35:51] NAME SAYS: http://www.myimagespace.net/erotic-gallerys/usr5d8c/
[20:36:03] NAME SAYS: you checked ?

[09:43:49] NAME SAYS: how are u ? :)
[09:43:49] NAME SAYS: look
[09:43:54] NAME SAYS: really funny
[09:43:59] NAME SAYS: http://www.fakme.org/erotic-gallerys
[09:44:10] NAME SAYS: what ur friend name wich is in photo ?
[09:44:13] NAME SAYS: :D

If the link is clicked you will be redirected to download an executable .SCR file from socsec.co.il that will install malicious code.

Free Image Hosting at www.ImageShack.us

This is everything it can send as a message to other Skype clients:
www.myimagespace.net/erotic-gallerys/usr5d8c/dsc027.jpg www.fakme.org/erotic-gallerys/usr5d8c/dsc027.jpg pala biski :S as net nezinau ka tavo vietoj daryciau. matai :D ;) geras ane ? patinka? kas cia tavim taip isderge ? =]] cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D cia tu isimetei ? zek kur tavo foto metos isdergta (mm) kaip as taves noriu ziurek kur tavo foto imeciau :D esi? labas what ur friend name wich is in photo ? this (happy) sexy one u happy ? oh sry not for u oops sorry please don't look there :S you checked ? :D (rofl) (devil) :) really funny now u populr haha lol look what crazy photo Tiffany sent to me,looks cool I used photoshop and edited it where I put ur photo :D your photos looks realy nice look how are u ? :) hey

It also seems to edit the hosts file!

Update at 10:45
Virus warning!! from Skype Forums and reports its name as w32/Ramex.A
More at Skype Heartbeat blog

I have found very little online about this, I will update when I know more!!

Update 9/11
Virus info:
FSecure: W32/Skipi.A
Symantec: W32.Pykspa.D
Kaspersky: Worm.Win32.Skipi.c Viruslist.com
Eset: a variant of Win32/Persky worm

More info here: StechkOv’s Blog

Update 9/12:
Removal instructions!
Expert users — and only expert users — who know what they’re doing can also remove the worm manually.
1. Restart the PC in safe mode (Press F8 during boot)
2. Run regedit
3. Go to HKLM/software/microsoft/windows/currentversion/runonce find entry with mshtmldat32.exe and delete the entry.
4. Go to Windows\System32 directory and delete following files: wndrivs32.exe, mshtmldat32.exe, winlgcvers.exe, sdrivew32.exe
5. Go to windows/system32/drivers/etc
6. Open the hosts file with notepad, ctrl+a and delete all entries (this will resume your antivirus updates) then save and close.
7. Restart the PC.

One Response to “Skype Trojan or Virus on the loose?”

  1. Hershel Olk says:

    Nice post dude Thank you

Leave a Reply