high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | June 2007 (4.18) |
| Protection available since | 16 April 2007 11:12:45 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Your options
- Please send us a sample to assist in improving our technology
- Use the instructions for removing generically detected files to delete the file from your computer
- If problems persist, contact Sophos support for assistance with removal
More Information
Mal/Pykse-A is a worm for the Windows platform.
Mal/Pykse-A is most likely to be installed by clicking on a link contained in a received Skype message. The worm spreads by sending messages to online contacts using the Skype API. If the recipient clicks on the link, a Trojan dropper (detected as Troj/Dropper-OI) is downloaded. When Troj/Dropper-OI is executed, an enticing image is displayed, and Mal/Pykse-A is dropped and silently executed.
Mal/Pykse-A installs itself as Skype.exe in the Windows system folder. A dll component is also installed to the system folder, as Invisible002.dll
The following Registry entries are added to hook system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SkypeStartup
(system)\Skype.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SkypeStartup
(system)\Skype.exe
The following Registry entries are added to install the dropped dll as a browser helper object:
HKCR\CLSID\(7FB39839-665D-4D47-873C-D3FD9009FC3B)
HKCR\Interface\(7FB19539-665D-4D47-873C-D3FD9719FC3B)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
(7FB39839-665D-4D47-873C-D3FD9009FC3B)
The worm also adds the following Registry entry:
HKCU\Software\SkypeWorm
Once running, Mal/Pykse-A attempts to connect to a number of remote websites.
|
