Worm.Win32.Skipi.a

The worm spreads via Skype. The worm is managed remotely by a dedicated API interface. It will send a message to all entries on the contact list. The worm creates a message composed of a selection of the following text strings:

hey
how are u ? :)
look
your photos looks realy nice
where I put ur photo :D
I used photoshop and edited it
look what crazy photo Tiffany sent to me...
haha lol
now u populr
really funny
you checked ?
oops sorry please don't look there :S
oh sry not for u
u happy ?
this (happy) sexy one
what ur friend name wich is in photo ?
labas
esi?
ziurek kur tavo foto imeciau :D
kaip as taves noriu
zek kur tavo foto metos isdergta
cia tu isimetei ?
cia biski su photoshopu pazaidziau bet...
kas cia tavim taip isderge ? =]]
patinka?
geras ane ?
matai :D
as net nezinau ka tavo vietoj daryciau...
:S
pala biski

The messages contains a link to the worm file:

Below is an example of messages sent by the worm:

[17:59:05] User says: how are u ? :) 
[17:59:22] User says: look what crazy photo Tiffany sent to me,looks cool 
[17:59:26] User says: http://www%InfectedURL%.jpg 
[17:59:37] User says: oops sorry please don't look there :S 
[17:59:40] User says: :)

The worm uses a Windows file icon in order to disguise the program.

When the victim machine is connected to the Internet, the worm may download files from the following links:

http://www.****me.org/erotic-gallerys/usr5d8c/****.jpg (at the time of writing, this link was not working) http://www.****space.net/erotic-gallerys/usr5d8c/****.scr - this file is 188 416 bytes in size, and will be detected by Kaspersky Anti-Virus as Worm.Win32.Skipi.c

The worm also spreads by copying itself to flash drives connected to the victim machine. It will copy itself to the root directory under the following names:

game.exe
zjbs.exe

The worm creates a file called "autorun.inf" in the flash drive's root directory. This file contains the following code:

[autorun]
action=Windows Picture and Fax Viewer
open=zjbs.exe
icon=zjbs.exe

This enables the worm to launch automatically when the flash drive is connected to a non-infected machine. (The worm is launched as long as autorunning the contents of the flash drive is enabled).

The worm also modifies the following file:

%System%\drivers\etc\hosts

This causes requests to the antivirus update sites listed below to be redirected to a random IP address:

avast.com
avp.com
ca.com
drweb.comeset.com
f-secure.com
symantec.com
pandasoftware.com
sophos.com
mcafee.com
kaspersky-labs.com
kaspersky.ru
symantecliveupdate.com
viruslist.com
networkassociates.com
norman.com
trendmicro.com
nai.com
grisoft.com
esaugumas.lt
virustotal.com
windowsupdate.microsoft.com
jotti.org
bkav.com.vn
bitdefender.com
barracudanetworks.com
free-av.com
nod32-es.com
my-etrust.com

The worm also terminates processes if the process names contain one of the substrings listed below:

53ARCH
_AVP32
_AVPCC
_AVPM
ACKWIN32
ADAWARE
ADVXDWIN
AGENTSVR
AGENTW
ALERTSVC
ALEVIR
ALOGSERV 
AMON9X 
ANTI-TROJAN 
ANTIVIRUS 
APIMONITOR 
APLICA32 
APORTS 
APVXDWIN 
ARMKILLER 
ATCON 
ATGUARD 
ATRO55EN 
ATUPDATER 
ATWATCH 
AUPDATE 
AUTODOWN 
AUTOTRACE 
AUTOUPDATE 
AVCONSOL 
AVE32 
AVGCC32 
AVGCTRL 
AVGNT 
AVGSERV 
AVGSERV9 
AVGUARD 
AVKPOP 
AVKSERV 
AVKSERVICE 
AVKWCTl9 
AVLTMAIN 
AVP32 
AVPCC 
AVPDOS32 
AVPTC32 
AVPUPD 
AVSCHED32 
AvSynMgr 
AVWIN95 
AVWINNT.EXE 
AVWUPD 
AVWUPD32 
AVWUPSRV 
AVXMONITOR9X 
AVXMONITORNT 
AVXQUAR 
BACKWEB 
BARGAINS 
BD_PROFESSIONAL 
BEAGLE 
BIDEF 
BIDSERVER 
BIPCP 
BIPCPEVALSETUP 
BLACKD 
BLACKICE 
BOOTCONF 
BOOTWARN 
BORG2 
BRASIL 
BS120 
BUNDLE 
CCAPP 
CCEVTMGR 
CCPXYSVC 
CFGWIZ 
CFIADMIN 
CFIAUDIT 
CFINET 
CFINET32 
Claw95 
CLAW95CF 
CLEAN 
CLEANER 
CLEANER3 
CLEANPC 
CLICK 
CLIENT 
CMD32 
CMESYS 
CMGRDIAN 
CMON016 
CONDOM 
CPF9X206 
CPFNT206 
CRACKER 
CWNB181 
CWNTDWMO 
DATEMANAGER 
DCOMX 
DEFALERT 
DEFSCANGUI 
DEFWATCH 
DEPUTY 
DLLCACHE 
DLLREG 
DOORS 
DPFSETUP 
DPPS2 
DRWATSON 
DRWEB32 
DRWEBUPW 
DSSAGENT 
DVP95 
DVP95_0 
ECENGINE 
EFPEADM 
ESAFE 
ESCANH95 
ESCANHNT 
ESCANV95 
ESPWATCH 
ETHEREAL 
ETRUSTCIPE 
EXE.AVXW 
EXPERT 
EXPLORE 
F-AGNT95 
F-AGOBOT 
F-PROT 
F-PROT95 
F-STOPW 
FAMEH32 
FCH32 
FIH32 
FINDVIRU 
FIREWALL 
FLOWPROTECTOR 
FNRB32 
FP-WIN 
FP-WIN_TRIAL 
FPORT 
FPROT 
FRHED 
FSAV32 
FSAV530STBYB 
FSAV530WTBYB 
FSAV95 
FSGK32 
FSM32 
FSMA32 
FSMB32 
GATOR 
GBMENU 
GBPOLL 
GENERICS 
GUARD 
GUARDDOG 
HACKTRACERSETUP 
HBINST 
HBSRV 
HIJACKTHIS 
HONEYD 
HOTACTIO 
HOTPATCH 
HTLOG 
HTPATCH 
HXIUL 
IAMAPP 
IAMSERV 
IAMSTATS 
IBMASN 
IBMAVSP 
ICESWORD 
ICLOAD95 
ICLOADNT 
ICMON 
ICSUPP95 
ICSUPPNT 
IEDLL 
IEDRIVER 
IEXPLORER 
IFACE 
IFW2000 
IISLOCKD 
INETLNFO 
INFUS 
INFWIN 
INTDEL 
INTREN 
IOMON98 
IPARMOR 
ISASS 
ISRV95 
ISTSVC 
JAMMER 
JDBGMRG 
KAVLITE40ENG 
KAVPERS40ENG 
KAVPF 
KAVSVC 
KAZZA 
KEENVALUE 
KERNEL32 
LAUNCHER 
LDNETMON 
LDPRO 
LDPROMENU 
LDSCAN 
LNETINFO 
LOADER 
LOCALNET 
LOCKDOWN 
LOCKDOWN2000 
LOGGER 
LOGVIEWER 
LOOKOUT 
LORDPE 
LSETUP 
LUALL 
LUCOMSERVER 
LUINIT 
LUSPT 
MAPISVC32 
MCAGENT 
MCMNHDLR 
MCSHIELD 
MCTOOL 
MCUPDATE 
MCVSRTE 
MCVSSHLD 
MFIN32 
MFW2EN 
MFWENG3.02D30 
MGAVRTCL 
MGAVRTE 
MGHTML 
MINILOG 
MONITOR 
MOOLIVE 
MOSTAT 
MPFAGENT 
MPFSERVICE 
MPFTRAY 
MRFLUX 
MSAPP 
MSBLAST 
MSCACHE 
MSCCN32 
MSCMAN 
MSCONFIG 
MSDOS 
MSIEXEC16 
MSINFO32 
MSLAUGH 
MSMGT 
MSMSGRI32 
MSSMMC32 
MSSYS 
MSVXD 
MU0311AD 
MWATCH 
N32SCANW 
NAVAP.NAVAPSVC 
NAVAPSVC 
NAVAPW32 
NAVDX 
NAVLU32 
NAVNT 
NAVSTUB 
NAVW32 
NAVWNT 
NC2000 
NCINST4 
NDD32 
NEOMONITOR 
NEOWATCHLOG 
NETARMOR 
NETD32 
NETINFO 
NETMON 
NETSCANPRO 
NETSTAT 
NETUTILS 
NISSERV 
NISUM 
NMAIN 
NOD32 
NOD32CC 
NOD32KRN 
NOD32KUI 
NOD32M2 
NORMIST 
NOTSTART 
NPFMESSENGER 
NPROTECT 
NPSCHECK 
NPSSVC 
NSCHED32 
NSSYS32 
NSTASK32 
NSUPDATE 
NTRTSCAN 
NTVDM 
NTXconfig 
NUPGRADE 
NVARCH16 
NVC95 
NVSVC32 
NWINST4 
NWSERVICE 
NWTOOL16 
OLLYDBG 
ONSRVR 
OPTIMIZE 
OSTRONET 
OTFIX 
OUTPOST 
OUTPOSTINSTALL 
PADMIN 
PANIXK 
PATCH 
PAVCL 
PAVPROXY 
PAVSCHED 
PCC2002S902 
PCC2K_76_1436 
PCCIOMON
PCCNTMON
PCCWIN97
PCCWIN98
PCDSETUP
PCFWALLICON
PCIP10117_0
PCSCAN
PDSETUP
PEDASM
PENIS
PERISCOPE
PERSFW
PERSWF
pexplorer
PFWADMIN
PGMONITR
PINGSCAN
PLATIN
PMDUMP
POP3TRAP
POPROXY
POPSCAN
PORTDETECTIVE
PORTMONITOR
POWERSCAN
PPINUPDT
PPTBC
PPVSTOP
PRIZESURFER
PRMVR
PROCDUMP
PROCESSMONITOR
PROCEXP
PROGRAMAUDITOR
PROPORT
PROTECTX
PURGE
PUSSY
PVIEW95
QCONSOLE
QSERVER
RAPAPP
RAV7WIN
RAV8WIN32ENG
RCSYNC
REALMON
REGCLEANER
REGED
REGEDIT
REGEDT32
RERGCLEANR
RESCUE
RESCUE32
RRGUARD
RSHELL
RTVSCAN
RTVSCN95
RULAUNCH
RUN32DLL
RUNDLL
RUNDLL16
RUXDLL32
SAFEWEB
SAHAGENT
SAVENOW
SBSERV
SCAM32
SCAN32
SCAN95
SCANPM
SCRSCAN
SCRSVR
SCVHOST
SERV95
SERVICE
SERVLCE
SERVLCES
SETUPVAMEEVAL
SGSSFW32
SHELLSPYINSTALL
SHOWBEHIND
SMSS32
SPERM
SPHINX
SPOLER
SPOOLCV
SPOOLSV32
SPYXX
SREXE
SS3EDIT
SSG_4104
SSGRATE
START
STCLOADER
SUPFTRL
SUPPORT
SUPPORTER5
SVCHOSTC
SVCHOSTS
SVSHOST
SWEEP95
SYMPROXYSVC
SYMTRAY
SYSEDIT
SYSTEM
SYSTEM32
SYSUPD
TASKMG
TASKMO
TASKMON
TAUMON
TBSCAN
TCPVIEW
TDS-3
TDS2-98
TDS2-NT
TEEKIDS
TFAK5
TGBOB
TITANIN
TITANINXP
TRACERT
TRICKLER
TRJSCAN
TRJSETUP
TROJANTRAP3
TSADBOT
TVTMD
UNDOBOOT
UPDAT
UPDATE
UPGRAD
UTPOST
VBCMSERV
VBCONS
VBUST
VBWIN9X
VBWINNTW
VCSETUP
VET32
VET95
VETTRAY
VFSETUP
VIR-HELP
VNLAN300
VNPC3000
VPC32
VPC42
VPFW30S
VPTRAY
VSCAN40
VSCENU6.02D30
VSCHED
VSECOMR
VSHWIN32
VSISETUP
VSMAIN
VSMON
VSSTAT
VSWIN9XE
VSWINNTSE
VSWINPERSE
W32DSM89
WATCHDOG
WEBDAV
WEBSCANX
WEBTRAP
WFINDV32
WGFE95
WHOSWATCHINGME
WIMMUN32
WIN-BUGSFIX
WIN32
WIN32US
WINACTIVE
WINDBG
WINDOW
WINDOWS
WINDUMP
WININETD
WININIT
WININITX
WINLOGIN
WINMAIN
WINNET
WINPPR32
WINRECON
WINSERVN
WINSSK32
WINSTART
WINSTART001
WINTSK32
WINUPDATE
WKUFIND
WRADMIN
WRCTRL
WSBGATE
WUPDATER
WUPDT
XPF202EN
ZAPRO
ZAPSETUP3001
ZATUTOR
ZONALM2601
ZONEALARM

If an attempt is made to terminate the following processes:

wndrivs.exe
mshtml32.exe
sdrives32.exe
winlgcver.exe

the worm code, which has been injected into the "explorer.exe" process, will be launched again.

Detection

Detection for this version of the worm was added to the Kaspersky Anti-Virus databases as an urgent update.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).
2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
3. Delete all files created by the worm:

   %System%\wndrivs.exe
   %System%\mshtml32.exe
   %System%\sdrives32.exe
   %System%\winlgcver.exe

4. Delete the following system registry keys: (see What is a system registry and how do I use it for details on how to edit the registry).

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "Start Services" = "%WormCopy%"
   
   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "Windows Explorer" = "explorer.exe %WormCopy%"
   "Logon Data" = "%WormCopy%"
   
   [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
   "Policies Settings" = "
   
   [HKLM\Software\RMX\cfg]

5. Modify the %System%\drivers\etc\hosts file using any standard application (e.g. Notepad). Delete the strings added by the worm. The original hosts file has the following contents: # Copyright (c) 1993-1999 Microsoft Corp.
   # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
   # This file contains the mappings of IP addresses to host names. Each
   entry should be kept on an individual line.
   #The IP address should be placed in the first column followed by the
   corresponding host name.
   #The IP address and the host name should be separated by at least one
   space.
   # # Additionally, comments (such as these) may be inserted on individual
   # lines or following the machine name denoted by a '#' symbol.
   # For example:
   # # 102.54.94.97 rhino.acme.com # source server
   # 38.25.63.10 x.acme.com # x client host
   127.0.0.1 localhost
   
6. Check all flash drives which have been connected to the victim machine for the presence of the following files in the root directory:

   game.exe
   zjbs.exe
   autorun.inf

7. If such files are found, delete them.
8. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

This worm spreads via Skype. Infected messages will be sent to all Skype contacts on the victim machine.

The worm is a Windows PE EXE file. The file is 188,416 bytes in size. It is written in C .

Installation

In order to hide its functionality from the user, the worm opens the following file using the image viewer (assuming that this file is present on the victim machine):

%WinDir%\Soap Bubbles.bmp

Once launched, the worm copies its executable file to the Windows system directory under the following names:

%System%\wndrivs.exe
%System%\mshtml32.exe
%System%\sdrives32.exe
%System%\winlgcver.exe

In order to ensure that the worm is launched automatically each time the system is booted, it adds a link to its executable file (%WormCopy% leads to one of the files listed above) to the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Start Services" = "%WormCopy%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Windows Explorer" = "explorer.exe %WormCopy%"
"Logon Data" = "%WormCopy%"

[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"Policies Settings" = ""

The worm also creates the following system registry key:

[HKLM\Software\RMX\cfg] Payload