Overview
»IDS/IPS Signatures
Security Sites
Products
White Papers
Data Sheets
Case Studies
Support Login
iPolicy Networks Security Advisory
 

Worm.W32.Skipi.A.im
Date Discovered: 09/13/2007
Severity: Low
Operating Systems: Microsoft Windows
Size: 188416 Bytes
MD5Sum:: D3B2B81BA7745932B16C38885058A4C9
Alias: W32.Pykspa.D [Symantec]
WORM_SKIPI.A [TrendMicro]
Synopsis
Worm.W32.Skipi.A.im is an instant messaging worm that uses Skype's chat service as a medium for propagation. It may arrive as an email attachment, get downloaded from the Internet while browsing malicious websites, removable drives. It stops certain security related processes and prevents access to security websites by modifying the hosts file. The malware is written in Microsoft visual C++.
Recommended Actions
1. Users are advised to open email attachments from trusted parties only.
2. The Registry entries added by the malware should be deleted.
3. Antivirus definitions should be updated to detect its infection.
4. IDS/IPS engines should be updated to detect the propagation and/or activity of the malware.
5. Removable drives should be properly scanned before use.
Threat Analysis
On execution, Worm.W32.Skipi.A.im first modifies the host file to prevent access to following parent and its child domains by redirecting them to the other hosts:

symantec.com
pandasoftware.com
sophos.com
mcafee.com
kaspersky-labs.com
kaspersky.ru
drweb.com
comdrweb.com
symantecliveupdate.com
viruslist.com
f-secure.com
avp.com
norman.com
networkassociates.com
ca.com
my-etrust.com
nai.com
trendmicro.com
grisoft.com
esaugumas.lt
virustotal.com
microsoft.com
virusscan.jotti.org
bkav.com.vn
bitdefender.com
aonealarm.com
barracudanetworks.com
free-av.com
avast.com
pandasecurity.com
nod32-es.com
nod32.com
eset.com

It then drops its copy as wndrivsd32.exe in the %SYSTEM FOLDER% and launches itself from there. Worm.W32.Skipi.A.im creates other files at following locations:

%SYSTEM FOLDER%\mshtmlsh32.exe
%SYSTEM FOLDER%\winlgcverx.exe
%SYSTEM FOLDER%\sdrivec32.exe

It also creates its copy in removable drives as zjbs.exe and game.exe.

It looks for Soap Bubbles.bmp file in the %SYSTEM% folder and displays it if found there otherwise displays a message "C:\winnt\soap.bmp was not found" as displayed below:



It also creates a mutex pyksp2.0.0.4gM-2oo8&-825190 to confirm execution of one instance of the worm at a time.

To start automatically at system startup, it adds following entries into the Registry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\Windows Sysdat = explorer.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\Windows Sysdat = explorer.exe mshtmlsh32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
\Policies Options2 = m

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\Logon Settings2 = mshtmlsh32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Services Start2
= mshtmlsh32.exe

It uses Skype instant messaging application's chat service to send messages (listed below) to the users who are in infected user's chat list.

ops
pala biski
:S
as net nezinau ka tavo vietoj daryciau.
matai :D
geras ane ?
patinka?
kas cia tavim taip isderge ? =]]
cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D
cia tu isimetei ?
zek kur tavo foto metos isdergta
(mm) kaip as taves noriu
ziurek kur tavo foto imeciau :D
esi?
labas
what ur friend name wich is in photo ?
this (happy) sexy one
u happy ?
oh sry not for u
oops sorry please don't look there :S
you checked ?
(rofl)
(devil)
really funny
now u populr
haha lol
look what crazy photo Tiffany sent to me,looks cool
I used photoshop and edited it
where I put ur photo :D
your photos looks realy nice
look
how are u ? :)


It also sends following URLs as part of instant message:

http://www.myimagespace.net/erotic-gallerys/usr5d8c/dsc027.jpg
http://www.fakeme.org/erotic-gallerys/usr5dsc/dsc027.jpg

At the time of writing first URL was active and the second one seems to be down.



It changes Skype IM client's status to Do Not Disturb. On changing the status from DND to any other available options it is again set to Do Not Disturb and the status option is disabled.


The worm Worm.W32.Skipi.A.im is observed to be querying DNS server for the address records of following domains:

www.gamesforum.com
velve-42728-001.dsvr.co.uk
sdgfg.alladultmale.com
www.freewebs.com
members.lycos.co.uk
forum.ragezone.com
fdfddf.attorney-site.com
asdffdgfg.mylawsite.net
kupralana77.110mb.com
kale45.php0h.com
kale99.blog.co.uk
ttyy.lookingat.us
trrrr.cpa-site.com
zopa.110mb.com
ragai.myartsonline.com
rrrr.bedclip.com
zappa.4444mb.com
Write-up by: Sandeep Paul
Security Sites
 
“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”
 
Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner
 

 
Home | About Us | Products | Technology | Solutions | Support | Partners | News & Events | Resources | Contact Us
Copyright ©2006 iPolicy Networks Private Limited. | Privacy Policy | Site Map