McAfee > Theat Center > Virus Detail Page

Overview

W32/Pykse.worm.b is a worm that spreads via Skype chat messages.

Aliases

• W32.Pykspa.A (Symantec)

• W32.Pykspa.D (Symantec)

• W32/Ramex.A

• Win32/Persky worm (Nod32)

• Worm.Win32.Skipi.b (F-Secure)

• Worm.Win32.Skipi.b (Kaspersky)

Characteristics

--- Update September 11, 2007 --
The risk assessment of this threat was updated to Low-Profiled due to media attention.

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

W32/Pykse.worm.b is a worm that spreads via Skype chat messages.

It creates copies of itself in the %system32% folder, with following filenames.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Services Start"
   Data: mshtmldat32.exe

It also creates the following registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Windows Sys"
   Data: explorer.exe mshtmldat32.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Logon Settings"
  Data: mshtmldat32.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "Policies Options"
   Data:

The following registry keys are also created:

• HKEY_CURRENT_USER\Software\RMX
• HKEY_LOCAL_MACHINE\SOFTWARE\RMX

The worm will test for connectivity or download malware from the following domains:

• mylawsite.net
• attorney-site.com
• ragezone.com
• blog.co.uk
• kupralana77.110mb.com
• members.lycos.co.uk
• ragai.myartsonline.com
• bedclip.com
• alladultmale.com
• cpa-site.com
• lookingat.us
• www.freewebs.com
• www.gamesforum.com
• www.kale45.php0h.com
• 4444mb.com
• zopa.110mb.com

The %system32%\drivers\etc\hosts file is also modified by the worm to redirect network traffic to the following security-related domains:

• symantec.comsecurityresponse.symantec.com
• pandasoftware.com
• sophos.com
• mcafee.com
• downloads-us1.kaspersky-labs.com
• kaspersky.ru
• msk1.drweb.com
• liveupdate.symantecliveupdate.com
• viruslist.com
• security.symantec.com
• f-secure.com
• kaspersky-labs.com
• avp.com
• norman.com
• networkassociates.com
• ca.com
• mast.mcafee.com
• my-etrust.com
• nai.com
• update.symantec.com
• us.mcafee.com
• liveupdate.symantec.com
• rads.mcafee.com
• trendmicro.com
• grisoft.com
• esaugumas.lt
• antivirus.esaugumas.lt
• esecurity.lt
• virustotal.com
• windowsupdate.microsoft.com
• microsoft.com
• virusscan.jotti.org
• bkav.com.vn
• grisoft.czfree.grisoft.com
• bitdefender.com
• aonealarm.com
• barracudanetworks.com
• free-av.com
• avast.com
• pandasecurity.com
• nod32-es.com
• nod32.com
• eset.com
• nod32.it
• nod32.de
• nod32.nl
• nod32.datsec.de
• avast.com

If Skype is installed on the victim machine, the worm sends instant messages to everyone in the contacts list.
The worm also automatically sets the status of skype to "Do Not Disturb (DND)"

The messages contain a combination of the following texts:

• a ?
• pala biski
• as net nezinau ka tavo vietoj daryciau.
• matai :D
• geras ane ?
• patinka?
• kas cia tavim taip isderge ? =]]
• cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D
• cia tu isimetei ?
• zek kur tavo foto metos isdergta
• (mm) kaip as taves noriu
• ziurek kur tavo foto imeciau :D
• esi?
• labas
• what ur friend name wich is in photo ?
• this (happy) sexy one
• u happy ?
• oh sry not for u
• oops sorry please don't look there :S
• you checked ?
• (rofl)
• (devil)
• really funny
• now u populr
• haha lol
• look what crazy photo Tiffany sent to me,looks cool
• I used photoshop and edited it
• where I put ur photo :D
• your photos looks realy nice
• look
• how are u ? :)
• hey

The above text is followed by a link pointing to the worm, which may look like:

• http://www.f[REMOVED].org/erotic-gallerys/usr5d8c/[Removed].jpg
• http://www.my[REMOVED].net/erotic-gallerys/usr5d8c/[Removed].jpg

The worm terminates certain security related tools, on execution.

It will also infect removable drives by making a copy of itself and an autorun.inf file to auto-start the worm.

(where %system32% is the Windows system folder; e.g. C:\Windows\System32)

Symptoms

Chat History on Skype indicating messages with text as mentioned.
Presence of files and registries as mentioned.
Status of Skype changing to "DND", without user intervention.
Unexpected network connections to the previously mentioned websites.

Method of Infection

This worm propagates via Skype chat messages.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/Pykse.worm.b is a worm that spreads via Skype chat messages.

Aliases

• W32.Pykspa.A (Symantec)

• W32.Pykspa.D (Symantec)

• W32/Ramex.A

• Win32/Persky worm (Nod32)

• Worm.Win32.Skipi.b (F-Secure)

• Worm.Win32.Skipi.b (Kaspersky)

Characteristics

Characteristics -

--- Update September 11, 2007 --
The risk assessment of this threat was updated to Low-Profiled due to media attention.

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

W32/Pykse.worm.b is a worm that spreads via Skype chat messages.

It creates copies of itself in the %system32% folder, with following filenames.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Services Start"
   Data: mshtmldat32.exe

It also creates the following registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Windows Sys"
   Data: explorer.exe mshtmldat32.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Logon Settings"
  Data: mshtmldat32.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "Policies Options"
   Data:

The following registry keys are also created:

• HKEY_CURRENT_USER\Software\RMX
• HKEY_LOCAL_MACHINE\SOFTWARE\RMX

The worm will test for connectivity or download malware from the following domains:

• mylawsite.net
• attorney-site.com
• ragezone.com
• blog.co.uk
• kupralana77.110mb.com
• members.lycos.co.uk
• ragai.myartsonline.com
• bedclip.com
• alladultmale.com
• cpa-site.com
• lookingat.us
• www.freewebs.com
• www.gamesforum.com
• www.kale45.php0h.com
• 4444mb.com
• zopa.110mb.com

The %system32%\drivers\etc\hosts file is also modified by the worm to redirect network traffic to the following security-related domains:

• symantec.comsecurityresponse.symantec.com
• pandasoftware.com
• sophos.com
• mcafee.com
• downloads-us1.kaspersky-labs.com
• kaspersky.ru
• msk1.drweb.com
• liveupdate.symantecliveupdate.com
• viruslist.com
• security.symantec.com
• f-secure.com
• kaspersky-labs.com
• avp.com
• norman.com
• networkassociates.com
• ca.com
• mast.mcafee.com
• my-etrust.com
• nai.com
• update.symantec.com
• us.mcafee.com
• liveupdate.symantec.com
• rads.mcafee.com
• trendmicro.com
• grisoft.com
• esaugumas.lt
• antivirus.esaugumas.lt
• esecurity.lt
• virustotal.com
• windowsupdate.microsoft.com
• microsoft.com
• virusscan.jotti.org
• bkav.com.vn
• grisoft.czfree.grisoft.com
• bitdefender.com
• aonealarm.com
• barracudanetworks.com
• free-av.com
• avast.com
• pandasecurity.com
• nod32-es.com
• nod32.com
• eset.com
• nod32.it
• nod32.de
• nod32.nl
• nod32.datsec.de
• avast.com

If Skype is installed on the victim machine, the worm sends instant messages to everyone in the contacts list.
The worm also automatically sets the status of skype to "Do Not Disturb (DND)"

The messages contain a combination of the following texts:

• a ?
• pala biski
• as net nezinau ka tavo vietoj daryciau.
• matai :D
• geras ane ?
• patinka?
• kas cia tavim taip isderge ? =]]
• cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D
• cia tu isimetei ?
• zek kur tavo foto metos isdergta
• (mm) kaip as taves noriu
• ziurek kur tavo foto imeciau :D
• esi?
• labas
• what ur friend name wich is in photo ?
• this (happy) sexy one
• u happy ?
• oh sry not for u
• oops sorry please don't look there :S
• you checked ?
• (rofl)
• (devil)
• really funny
• now u populr
• haha lol
• look what crazy photo Tiffany sent to me,looks cool
• I used photoshop and edited it
• where I put ur photo :D
• your photos looks realy nice
• look
• how are u ? :)
• hey

The above text is followed by a link pointing to the worm, which may look like:

• http://www.f[REMOVED].org/erotic-gallerys/usr5d8c/[Removed].jpg
• http://www.my[REMOVED].net/erotic-gallerys/usr5d8c/[Removed].jpg

The worm terminates certain security related tools, on execution.

It will also infect removable drives by making a copy of itself and an autorun.inf file to auto-start the worm.

(where %system32% is the Windows system folder; e.g. C:\Windows\System32)

Symptoms

Symptoms -

Chat History on Skype indicating messages with text as mentioned.
Presence of files and registries as mentioned.
Status of Skype changing to "DND", without user intervention.
Unexpected network connections to the previously mentioned websites.

Method of Infection

Method of Infection -

This worm propagates via Skype chat messages.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A