Latest Skype Worm – W32/Pykse.A

A new piece of malware called W32/Pykse.A by Symantec, Mal/Pykse-A by Sophos and W32/Pykse.worm.a by Mcafee is making the rounds through Skype. This worm affects Windows only, and it spreads by sending a message with a malware link to all online friends in Skype’s contact list using the Skype API, that looks like a picture on a website, once clicked, it runs the malware, sets Skype to do not disturb and then sends a message to everyone in the user list. Here is some of the stuff it does when the link is clicked.

When the worm executes, it creates the following files, which have attributes set as hidden, read-only, and system:

%Temp%\[ORIGINAL FILE NAME EXECUTABLE].jpg
%Temp%\[RANDOM CHARACTERS].exe

The worm also creates the following files:

%System%\Invisible002.dll
%System%\Skype.exe

Next, the worm creates the following registry entries so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”SkypeStartup” = “%System%\Skype.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run”SkypeStartup” = “%System%\Skype.exe”

The worm also creates the following registry entries:
HKEY_CLASSES_ROOT\AppID”" = “Invisible”
HKEY_CLASSES_ROOT\AppID\Invisible.dll”AppID” = “”
HKEY_CURRENT_USER\Software\SkypeWorm\cfg”n” = “%Temp%\[RANDOM CHARACTERS].exe”

The worm creates registry entries under the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{7FB39839-665D-4D47-873C-D3FD9009FC3B}
HKEY_CLASSES_ROOT\TypeLib\{7FB29539-665D-4D47-873C-D3FD9719FC3B}\1.0
HKEY_CLASSES_ROOT\Interface\{7FB19539-665D-4D47-873C-D3FD9719FC3B}

It then creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FB39839-665D-4D47-873C-D3FD9009FC3B}

Next, the worm displays the following image:
%Temp%\[ORIGINAL FILE NAME EXECUTABLE].jpg Source: W32.Pykspa.A from Symantec

The risk is set to very low, currently, and if you practice safe computing, meaning you don’t click on every link that is sent to you, you will probably be okay, as it is necessary for you to click the link and visit the malicious site or sites. Here is some info that InfoWorld had.

The link also directs users to at least eight Web sites with information about Africa. It’s not clear what type of scam or harm those pages intend, but some of the sites have advertising on them, indicating that it might be a click-fraud scam, said Graham Cluley, senior technology consultant for Sophos. Click fraud refers to the various tricks used to get clicks on advertising banners, which generate revenue for Web page owners. Source: New worm wriggles around on Skype

Here is the image the worm sends out, so you will know what to look for.

W32/Pykse.A spammed image