Mal/Pykse-A is a worm for the Windows platform.
Mal/Pykse-A is most likely to be installed by clicking on a link contained in a received Skype message. The worm spreads by sending messages to online contacts using the Skype API. If the recipient clicks on the link, a Trojan dropper (detected as Troj/Dropper-OI) is downloaded. When Troj/Dropper-OI is executed, an enticing image is displayed, and Mal/Pykse-A is dropped and silently executed.
Mal/Pykse-A installs itself as Skype.exe in the Windows system folder. A dll component is also installed to the system folder, as Invisible002.dll
The following Registry entries are added to hook system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SkypeStartup
(system)\Skype.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SkypeStartup
(system)\Skype.exe
The following Registry entries are added to install the dropped dll as a browser helper object:
HKCR\CLSID\(7FB39839-665D-4D47-873C-D3FD9009FC3B)
HKCR\Interface\(7FB19539-665D-4D47-873C-D3FD9719FC3B)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
(7FB39839-665D-4D47-873C-D3FD9009FC3B)
The worm also adds the following Registry entry:
HKCU\Software\SkypeWorm
Once running, Mal/Pykse-A attempts to connect to a number of remote websites.