Content

PWS-Pykse

Type
Trojan
SubType
Password
Discovery Date
10/17/2007
Length
3,87,584 bytes
Minimum DAT
5143 (10/17/2007)
Updated DAT
5143 (10/17/2007)
Minimum Engine
5.1.00
Description Added
10/17/2007
Description Modified
10/18/2007 10:08 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This password stealing trojan purports itself to be a new plug-in of Skype.

On execution, this trojan displays the following fake message box, stating that a Skype plug-in called "Skype-Defender" has been installed.

                           

It also terminates any running instance of Skype, and pops up the fake Skype login window as follows:

                                                     

Once the user enters the username and password, the trojan collects this information and sends it to a predefined website, and displays the following fake message stating that the username and password were not recognized.

                                                    

This trojan does not create any registry entries for loading at system startup.

Symptoms

  • Skype login window looks different.
  • Valid username and passwords are also not recognized.

Method of Infection

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a password stealing trojan, which targets Skype and steals username and password entered by the user.

Aliases

  • Trojan-Spy.Win32.Skyper.b (F-Secure)
  • Trojan-Spy.Win32.Skyper.b (Kaspersky)
  • TSPY_SPEYK.A (Trend Micro)

Characteristics

Characteristics -

This password stealing trojan purports itself to be a new plug-in of Skype.

On execution, this trojan displays the following fake message box, stating that a Skype plug-in called "Skype-Defender" has been installed.

                           

It also terminates any running instance of Skype, and pops up the fake Skype login window as follows:

                                                     

Once the user enters the username and password, the trojan collects this information and sends it to a predefined website, and displays the following fake message stating that the username and password were not recognized.

                                                    

This trojan does not create any registry entries for loading at system startup.

Symptoms

Symptoms -

  • Skype login window looks different.
  • Valid username and passwords are also not recognized.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A