Content

W32/Pykse.worm.a

Type
Virus
SubType
Internet Worm
Discovery Date
04/16/2007
Length
varies
Minimum DAT
5011 (04/17/2007)
Updated DAT
5047 (06/06/2007)
Minimum Engine
5.1.00
Description Added
04/16/2007
Description Modified
04/16/2007 7:24 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update April 16, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.networkworld.com/news/2007/041607-new-worm-wriggles-around-on.html


W32/Pykse.worm.a is a worm that spreads via Skype chat messages.

On execution, the worm drops an executable and an image file in %temp% folder. It then creates the following files

    • %system%\Invisible002.dll
    • %system%\Skype.exe


Creates the following registry entry to activate itself on system startup

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SkypeStartup:"C:\WINDOWS\System32\Skype.exe"


Installs Invisible002.dll as a Browser Helper Object (BHO), the following registry entries are created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FB39839-665D-4D47-873C-D3FD9009FC3B}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FB39839-665D-4D47-873C-D3FD9009FC3B}\

    • TypeLib\: "{7FB39839-665D-4D47-873C-D3FD9009FC3B}"
    • InprocServer32\: "C:\WINDOWS\System32\Invisible002.dll"
    • : "Invisible"
    • : "{7FB29539-665D-4D47-873C-D3FD9719FC3B}"


The following subkey is also created:

    • HKEY_CURRENT_USER\Software\SkypeWorm\cfg


It displays a picture of a woman. The worm tries to send instant messages using Skype. The message can contain the following text:

    • oi netau cia turejo but sory
    • netau cia
    • uj netau sry
    • (rofl)
    • (devil)
    • bet cia nesveikai
    • pz ane?
    • paziurek kokia foto andrius atsiunte
    • kaip tau tokia? :D
    • ziurek kur sandros foto imeciau
    • matei kur sandros foto idejo?


The above text is followed by a link pointing to the worm, which may look like:

    • www.pa[REMOVED].ru/foto_galerija/[REMOVED]


The worm may also try to contact the following domains and potentially download other malware

    • aras.allfreehost.net
    • timboss.1majorhost.com
    • pasidulkinam.com
    • finger.wronger.com

 

Symptoms

  • Chat History on Skype indicating messages with text as mentioned.
  • Presence of files and registries as mentioned
  • Network activity as mentioned

 

 

Method of Infection

Worm propagates via Skype chat messages.

 

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Pykse.worm.a is a worm that spreads via Skype chat messages. It may also download other malware on the compromised machine.

Aliases

  • IM-Worm.Win32.Pykse.a (Kaspersky)
  • Mal/Pykse-A (Sophos)
  • W32.Pykspa.A (Symantec)

Characteristics

Characteristics -

-- Update April 16, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.networkworld.com/news/2007/041607-new-worm-wriggles-around-on.html


W32/Pykse.worm.a is a worm that spreads via Skype chat messages.

On execution, the worm drops an executable and an image file in %temp% folder. It then creates the following files

    • %system%\Invisible002.dll
    • %system%\Skype.exe


Creates the following registry entry to activate itself on system startup

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SkypeStartup:"C:\WINDOWS\System32\Skype.exe"


Installs Invisible002.dll as a Browser Helper Object (BHO), the following registry entries are created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FB39839-665D-4D47-873C-D3FD9009FC3B}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FB39839-665D-4D47-873C-D3FD9009FC3B}\

    • TypeLib\: "{7FB39839-665D-4D47-873C-D3FD9009FC3B}"
    • InprocServer32\: "C:\WINDOWS\System32\Invisible002.dll"
    • : "Invisible"
    • : "{7FB29539-665D-4D47-873C-D3FD9719FC3B}"


The following subkey is also created:

    • HKEY_CURRENT_USER\Software\SkypeWorm\cfg


It displays a picture of a woman. The worm tries to send instant messages using Skype. The message can contain the following text:

    • oi netau cia turejo but sory
    • netau cia
    • uj netau sry
    • (rofl)
    • (devil)
    • bet cia nesveikai
    • pz ane?
    • paziurek kokia foto andrius atsiunte
    • kaip tau tokia? :D
    • ziurek kur sandros foto imeciau
    • matei kur sandros foto idejo?


The above text is followed by a link pointing to the worm, which may look like:

    • www.pa[REMOVED].ru/foto_galerija/[REMOVED]


The worm may also try to contact the following domains and potentially download other malware

    • aras.allfreehost.net
    • timboss.1majorhost.com
    • pasidulkinam.com
    • finger.wronger.com

 

Symptoms

Symptoms -

  • Chat History on Skype indicating messages with text as mentioned.
  • Presence of files and registries as mentioned
  • Network activity as mentioned

 

 

Method of Infection

Method of Infection -

Worm propagates via Skype chat messages.

 

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A