McAfee > Theat Center > Virus Detail Page

Overview

-- Update October 08, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/10/06/scareware_skype/

--

Droppers are files which contain other binaries within their body. They act like a self-extracting ZIP file - taking the files stored inside and then installing them on the affected machine.

The types of files which are dropped by many droppers include other Trojans (such as Downloaders to download yet more files from the remote machine, BackDoors to allow the hacker remote access to the client machine as well as Dialers to change the dial-up settings of the client's Internet connection, normally to a premium rate number.

Characteristics

-- Update October 08, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/10/06/scareware_skype/

--

This Trojan is a scareware application. It disables all programs besides itself and Internet Explorer from running.

When run, it drops itself to C:\Documents and Settings\All Users\Application Data\13656094 (or a similar folder) and deletes itself using a batch file.

It logs user data in two files in the above-mentioned folder and creates the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\13656094

Note that the folder name string, which is "13656094" in this case, can vary.

The desktop background is changed to display a bogus virus-infection warning message. The user is shown a screen like this, or other bogus messages about virus infection:

In addition, the user is shown a message asking to purchase a "subscription", as shown:

Symptoms

The presence of the files, registry keys, and messages mentioned above, and an inability to run any programs besides Internet Explorer.

Method of Infection

The most recent variant of this threat arrived as a link in a Skype message.

Droppers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally may be mass spammed by the author to entice people into executing them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Dropper onto the user's system with no user interaction.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update October 08, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/10/06/scareware_skype/

--

Droppers are files which contain other binaries within their body. They act like a self-extracting ZIP file - taking the files stored inside and then installing them on the affected machine.

The types of files which are dropped by many droppers include other Trojans (such as Downloaders to download yet more files from the remote machine, BackDoors to allow the hacker remote access to the client machine as well as Dialers to change the dial-up settings of the client's Internet connection, normally to a premium rate number.

Characteristics

Characteristics -

-- Update October 08, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/10/06/scareware_skype/

--

This Trojan is a scareware application. It disables all programs besides itself and Internet Explorer from running.

When run, it drops itself to C:\Documents and Settings\All Users\Application Data\13656094 (or a similar folder) and deletes itself using a batch file.

It logs user data in two files in the above-mentioned folder and creates the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\13656094

Note that the folder name string, which is "13656094" in this case, can vary.

The desktop background is changed to display a bogus virus-infection warning message. The user is shown a screen like this, or other bogus messages about virus infection:

In addition, the user is shown a message asking to purchase a "subscription", as shown:

Symptoms

Symptoms -

The presence of the files, registry keys, and messages mentioned above, and an inability to run any programs besides Internet Explorer.

Method of Infection

Method of Infection -

The most recent variant of this threat arrived as a link in a Skype message.

Droppers are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally may be mass spammed by the author to entice people into executing them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Dropper onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A