McAfee > Theat Center > Virus Detail Page

Overview

--

The PWS-JO trojan has reportedly been distributed on the Skype network recently.

Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• ESET : Win32/Elife.A

• Microsoft : Win32/Scypex.A

• Sophos: Troj/PWSkype-A

• Symantec: Downloader

Characteristics

This trojan captures all keystrokes and saves them to the file %SysDir%\wmp.

It attempts to contact nsdf.no-ip.biz, however it appears the site is no longer accessible. If connected successfully it can download and execute arbitrary code, and also send back the saved log file containing recorded keystrokes.

System Changes

Registry Elements Added

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2D0CCE2D-2EEF-4432-0503-020002010803}
  "StubPath" = "C:\WINDOWS\System32\wmp.exe"
  
• HKEY_USER\.DEFAULT\Software\Microsoft\esEvcBko*
  "NmqrkcBE*" = (binary data)
  (* may be a random sequence)

Files Added

• C:\WINDOWS\system32\wmp. (no extension)
• C:\WINDOWS\system32\wmp.exe

Symptoms

• Presence of aforementioned files and registry keys.
• The applications creates the following network connection(s):
• nsdf.no-ip.biz:80

Method of Infection

N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system. Additionally many of these are mass spammed by the author to entice people into double-clicking on them. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction)

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

N/A

All Information

Overview -

-- Update December 21, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://go.theregister.com/feed/http://www.theregister.co.uk/2006/12/20/skype_trojan/

--

The PWS-JO trojan has reportedly been distributed on the Skype network recently.

Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• ESET : Win32/Elife.A

• Microsoft : Win32/Scypex.A

• Sophos: Troj/PWSkype-A

• Symantec: Downloader

Characteristics

Characteristics -

This trojan captures all keystrokes and saves them to the file %SysDir%\wmp.

It attempts to contact nsdf.no-ip.biz, however it appears the site is no longer accessible. If connected successfully it can download and execute arbitrary code, and also send back the saved log file containing recorded keystrokes.

System Changes

Registry Elements Added

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2D0CCE2D-2EEF-4432-0503-020002010803}
  "StubPath" = "C:\WINDOWS\System32\wmp.exe"
  
• HKEY_USER\.DEFAULT\Software\Microsoft\esEvcBko*
  "NmqrkcBE*" = (binary data)
  (* may be a random sequence)

Files Added

• C:\WINDOWS\system32\wmp. (no extension)
• C:\WINDOWS\system32\wmp.exe

Symptoms

Symptoms -

• Presence of aforementioned files and registry keys.
• The applications creates the following network connection(s):
• nsdf.no-ip.biz:80

Method of Infection

Method of Infection -

N/A. Password Stealers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system. Additionally many of these are mass spammed by the author to entice people into double-clicking on them. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Password Stealer onto the user's system with no user interaction)

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

N/A