IM-Worm:W32/Skipi.A

IM-Worm:W32/Skipi.A is an IM-worm that spreads via the Instant Messaging application Skype Chat. It sends short text messages with URLs for two different websites. If the recipient follows the link, they are taken to a website where they are prompted to download a copy of the worm.After being run the worm displays an image, usually "Soap Bubbles" (this image is a standard wallpaper provided with the Windows operating system).

Installation

Once downloaded onto a computer, the worm drops the following copies of itself:

• %Windir%\system32\mshtmldat32.exe
• %Windir%\system32\sdrivew32.exe
• %Windir%\system32\winlgcvers.exe
• %Windir%\system32\wndrivs32.exe

The worm then installs itself to the system and creates several startup keys for itself in the Registry:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Services Start" = "mshtmldat32.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Windows Sys" = "explorer.exe mshtmldat32.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ "Logon Settings" = "mshtmldat32.exe

It also creates the following registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\RMX\cfg

This malware terminates processes with the following names:

• _AVP32
• _AVPCC
• _AVPM
• 53ARCH
• ACKWIN32
• ADAWARE
• ADVXDWIN
• AGENTSVR
• AGENTW
• ALERTSVC
• ALEVIR
• ALOGSERV
• AMON9X
• ANTI-TROJAN
• ANTIVIRUS
• APIMONITOR
• APLICA32
• APORTS
• APVXDWIN
• ARMKILLER
• ATCON
• ATGUARD
• ATRO55EN
• ATUPDATER
• ATWATCH
• AUPDATE
• AUTODOWN
• AUTOTRACE
• AUTOUPDATE
• AVCONSOL
• AVE32
• AVGCC32
• AVGCTRL
• AVGNT
• AVGSERV
• AVGSERV9
• AVGUARD
• AVKPOP
• AVKSERV
• AVKSERVICE
• AVKWCTl9
• AVLTMAIN
• AVP32
• AVPCC
• AVPDOS32
• AVPTC32
• AVPUPD
• AVSCHED32
• AVSYNMGR
• AVWIN95
• AVWINNT
• AVWUPD
• AVWUPD32
• AVWUPSRV
• AVXMONITOR9X
• AVXMONITORNT
• AVXQUAR
• BACKWEB
• BARGAINS
• BD_PROFESSIONAL
• BEAGLE
• BIDEF
• BIDSERVER
• BIPCP
• BIPCPEVALSETUP
• BLACKD
• BLACKICE
• BOOTCONF
• BOOTWARN
• BORG2
• BRASIL
• BS120
• BUNDLE
• CCAPP
• CCEVTMGR
• CCPXYSVC
• CFGWIZ
• CFIADMIN
• CFIAUDIT
• CFINET
• CFINET32
• Claw95
• CLAW95CF
• CLEAN
• CLEANER
• CLEANER3
• CLEANPC
• CLICK
• CLIENT
• CMD32
• CMESYS
• CMGRDIAN
• CMON016
• CONDOM
• CPF9X206
• CPFNT206
• CRACKER
• CWNB181
• CWNTDWMO
• DATEMANAGER
• DCOMX
• DEFALERT
• DEFSCANGUI
• DEFWATCH
• DEPUTY
• DLLCACHE
• DLLREG
• DOORS
• DPFSETUP
• DPPS2
• DRWATSON
• DRWEB32
• DRWEBUPW
• DSSAGENT
• DVP95
• DVP95_0
• ECENGINE
• EFPEADM
• ESAFE
• ESCANH95
• ESCANHNT
• ESCANV95
• ESPWATCH
• ETHEREAL
• ETRUSTCIPE
• EXE.AVXW
• EXPERT
• EXPLORE
• F-AGNT95
• F-AGOBOT
• FAMEH32
• FCH32
• FIH32
• FINDVIRU
• FIREWALL
• FLOWPROTECTOR
• FNRB32
• FPORT
• FPROT
• F-PROT
• F-PROT95
• FP-WIN
• FP-WIN_TRIAL
• FRHED
• FSAV32
• FSAV530STBYB
• FSAV530WTBYB
• FSAV95
• FSGK32
• FSM32
• FSMA32
• FSMB32
• F-STOPW
• GATOR
• GBMENU
• GBPOLL
• GENERICS
• GUARD
• GUARDDOG
• HACKTRACERSETUP
• HBINST
• HBSRV
• HIJACKTHIS
• HONEYD
• HOTACTIO
• HOTPATCH
• HTLOG
• HTPATCH
• HXIUL
• IAMAPP
• IAMSERV
• IAMSTATS
• IBMASN
• IBMAVSP
• ICESWORD
• ICLOAD95
• ICLOADNT
• ICMON
• ICSUPP95
• ICSUPPNT
• IEDLL
• IEDRIVER
• IEXPLORER
• IFACE
• IFW2000
• IISLOCKD
• INETLNFO
• INFUS
• INFWIN
• INTDEL
• INTREN
• IOMON98
• IPARMOR
• ISASS
• ISRV95
• ISTSVC
• JAMMER
• JDBGMRG
• KAVLITE40ENG
• KAVPERS40ENG
• KAVPF
• KAVSVC
• KAZZA
• KEENVALUE
• KERNEL32
• LAUNCHER
• LDNETMON
• LDPRO
• LDPROMENU
• LDSCAN
• LNETINFO
• LOADER
• LOCALNET
• LOCKDOWN
• LOCKDOWN2000
• LOGGER
• LOGVIEWER
• LOOKOUT
• LORDPE
• LSETUP
• LUALL
• LUCOMSERVER
• LUINIT
• LUSPT
• MAPISVC32
• MCAGENT
• MCMNHDLR
• MCSHIELD
• MCTOOL
• MCUPDATE
• MCVSRTE
• MCVSSHLD
• MFIN32
• MFW2EN
• MFWENG3.02D30
• MGAVRTCL
• MGAVRTE
• MGHTML
• MINILOG
• MONITOR
• MOOLIVE
• MOSTAT
• MPFAGENT
• MPFSERVICE
• MPFTRAY
• MRFLUX
• MSAPP
• MSBLAST
• MSCACHE
• MSCCN32
• MSCMAN
• MSCONFIG
• MSDOS
• MSIEXEC16
• MSINFO32
• MSLAUGH
• MSMGT
• MSMSGRI32
• MSSMMC32
• MSSYS
• MSVXD
• MU0311AD
• MWATCH
• N32SCANW
• NAVAP.NAVAPSVC
• NAVAPSVC
• NAVAPW32
• NAVDX
• NAVLU32
• NAVNT
• NAVSTUB
• NAVW32
• NAVWNT
• NC2000
• NCINST4
• NDD32
• NEOMONITOR
• NEOWATCHLOG
• NETARMOR
• NETD32
• NETINFO
• NETMON
• NETSCANPRO
• NETSTAT
• NETUTILS
• NISSERV
• NISUM
• NMAIN
• NOD32
• NOD32CC
• NOD32KRN
• NOD32KUI
• NOD32M2
• NORMIST
• NOTSTART
• NPFMESSENGER
• NPROTECT
• NPSCHECK
• NPSSVC
• NSCHED32
• NSSYS32
• NSTASK32
• NSUPDATE
• NTRTSCAN
• NTVDM
• NTXconfig
• NUPGRADE
• NVARCH16
• NVC95
• NVSVC32
• NWINST4
• NWSERVICE
• NWTOOL16
• OLLYDBG
• ONSRVR
• OPTIMIZE
• OSTRONET
• OTFIX
• OUTPOST
• OUTPOSTINSTALL
• PADMIN
• PANIXK
• PATCH
• PAVCL
• PAVPROXY
• PAVSCHED
• PCC2002S902
• PCC2K_76_1436
• PCCIOMON
• PCCNTMON
• PCCWIN97
• PCCWIN98
• PCDSETUP
• PCFWALLICON
• PCIP10117_0
• PCSCAN
• PDSETUP
• PEDASM
• PENIS
• PERISCOPE
• PERSFW
• PERSWF
• pexplorer
• PFWADMIN
• PGMONITR
• PINGSCAN
• PLATIN
• PMDUMP
• POP3TRAP
• POPROXY
• POPSCAN
• PORTDETECTIVE
• PORTMONITOR
• POWERSCAN
• PPINUPDT
• PPTBC
• PPVSTOP
• PRIZESURFER
• PRMVR
• PROCDUMP
• PROCESSMONITOR
• PROCEXP
• PROGRAMAUDITOR
• PROPORT
• PROTECTX
• PURGE
• PUSSY
• PVIEW95
• QCONSOLE
• QSERVER
• RAPAPP
• RAV7WIN
• RAV8WIN32ENG
• RCSYNC
• REALMON
• REGCLEANER
• REGED
• REGEDIT
• REGEDT32
• RERGCLEANR
• RESCUE
• RESCUE32
• RRGUARD
• RSHELL
• RTVSCAN
• RTVSCN95
• RULAUNCH
• RUN32DLL
• RUNDLL
• RUNDLL16
• RUXDLL32
• SAFEWEB
• SAHAGENT
• SAVENOW
• SBSERV
• SCAM32
• SCAN32
• SCAN95
• SCANPM
• SCRSCAN
• SCRSVR
• SCVHOST
• SERV95
• SERVICE
• SERVLCE
• SERVLCES
• SETUPVAMEEVAL
• SGSSFW32
• SHELLSPYINSTALL
• SHOWBEHIND
• SMSS32
• SPERM
• SPHINX
• SPOLER
• SPOOLCV
• SPOOLSV32
• SPYXX
• SREXE
• SS3EDIT
• SSG_4104
• SSGRATE
• START
• STCLOADER
• SUPFTRL
• SUPPORT
• SUPPORTER5
• SVCHOSTC
• SVCHOSTS
• SVSHOST
• SWEEP95
• SYMPROXYSVC
• SYMTRAY
• SYSEDIT
• SYSTEM
• SYSTEM32
• SYSUPD
• TASKMG
• TASKMO
• TASKMON
• TAUMON
• TBSCAN
• TCPVIEW
• TDS2-98
• TDS2-NT
• TDS-3
• TEEKIDS
• TFAK5
• TGBOB
• TITANIN
• TITANINXP
• TRACERT
• TRICKLER
• TRJSCAN
• TRJSETUP
• TROJANTRAP3
• TSADBOT
• TVTMD
• UNDOBOOT
• UPDAT
• UPDATE
• UPGRAD
• UTPOST
• VBCMSERV
• VBCONS
• VBUST
• VBWIN9X
• VBWINNTW
• VCSETUP
• VET32
• VET95
• VETTRAY
• VFSETUP
• VIR-HELP
• VNLAN300
• VNPC3000
• VPC32
• VPC42
• VPFW30S
• VPTRAY
• VSCAN40
• VSCENU6.02D30
• VSCHED
• VSECOMR
• VSHWIN32
• VSISETUP
• VSMAIN
• VSMON
• VSSTAT
• VSWIN9XE
• VSWINNTSE
• VSWINPERSE
• W32DSM89
• WATCHDOG
• WEBDAV
• WEBSCANX
• WEBTRAP
• WFINDV32
• WGFE95
• WHOSWATCHINGME
• WIMMUN32
• WIN32
• WIN32US
• WINACTIVE
• WIN-BUGSFIX
• WINDBG
• WINDOW
• WINDOWS
• WINDUMP
• WININETD
• WININIT
• WININITX
• WINLOGIN
• WINMAIN
• WINNET
• WINPPR32
• WINRECON
• WINSERVN
• WINSSK32
• WINSTART
• WINSTART001
• WINTSK32
• WINUPDATE
• WKUFIND
• WRADMIN
• WRCTRL
• WSBGATE
• WUPDATER
• WUPDT
• XPF202EN
• ZAPRO
• ZAPSETUP3001
• ZATUTOR
• ZONALM2601
• ZONEALARM

The worm also modifies the Windows HOSTS file in order to block access to anti-virus vendor sites. It modifies the HOSTS file in a way that when the user access an anti-virus site, it will be redirected to a random IP address. Here are the related antivirus sites:

• antivirus.esaugumas.lt
• aonealarm.com
• avast.com
• avp.com
• barracudanetworks.com
• bitdefender.com
• bkav.com.vn
• ca.com
• dispatch.mcafee.com
• drweb.com
• esaugumas.lt
• esecurity.lt
• eset.com
• free-av.com
• f-secure.com
• grisoft.com
• kaspersky.com
• kaspersky.ru
• kaspersky-labs.com
• mast.mcafee.com
• mcafee.com
• microsoft.com
• my-etrust.com
• nai.com
• networkassociates.com
• nod32.com
• nod32.datsec.de
• nod32.de
• nod32.it
• nod32.nl
• nod32-es.com
• norman.com
• pandasecurity.com
• pandasoftware.com
• sandbox.norman.com
• sophos.com
• symantec.com
• symantecliveupdate.com
• trendmicro.com
• viruslist.com
• virusscan.jotti.org
• virustotal.com
• windowsupdate.microsoft.com
• www.free-av.com

Propagation

This malware communicates with Skype using the API "SkypeControlAPIDiscover". When connected to Skype, it sets the status of the Skype User as DND or "Do not Disturb".It also sends messages to all of the Skype Contacts on the infected user's computer. Below are the possible messages:

• (devil)
• (happy)
• (mm) kaip as taves noriu
• (rofl)
• as net nezinau ka tavo vietoj daryciau.
• cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D
• cia tu isimetei ?
• geras ane ?
• haha lol
• how are u ? :)
• I used photoshop and edited it
• kas cia tavim taip isderge ? =]]
• labas
• look what crazy photo Tiffany sent to me,looks cool
• matai :D
• now u populr
• oh sry not for u
• oops sorry please don't look there :S
• pala biski
• patinka?
• really funny
• this (happy) sexy one
• u happy ?
• what ur friend name wich is in photo ?
• where I put ur photo :D
• you checked ?
• your photos looks realy nice
• zek kur tavo foto metos isdergta
• ziurek kur tavo foto imeciau :D

It includes a link that points to any of the following URLs. The links below point to copies of the malware:

• https://www.fakme.org/erotic-gallerys/usr5d8c/[removed]
• https://www.myimagespace.net/erotic-gallerys/usr5d8c/[removed]

The worm copy located on these sites will usually have an SCR extension.The worm also copies itself to all available removable drives with the name of "game.exe". It also creates an autorun.inf file so that when the removable drive is accessed, the malware will run.

Payload

The worm attempts to check connectivity and may download a file from the following sites:

• ragai.myartsonline.com
• bedclip.com
• 4444mb.com
• www.gamesforum.com/[removed].php?u=13699
• sdgfg.alladultmale.com
• www.freewebs.com/kole123a/[removed].htm
• members.lycos.co.uk/kale77a/[removed].htm
• forum.ragezone.com/members/superkliper9999/[removed].htm
• fdfddf.attorney-site.com
• asdfdgfg.mylawsite.net
• kupralana77.110mb.com
• www.kale45.php0h.com
• kale99.blog.co.uk
• ttyy.lookingat.us
• trrrr.cpa-site.com
• zopa.110mb.com