Win32/Skintrim is a trojan that downloads and executes arbitrary files, including updates and additional malware, from a predefined Web site, and displays advertisements. This trojan may be distributed by certain Web sites as a Microsoft Outlook add-on used to display 'emoticons', (i.e. icons used to represent emotions) or other animated icons within e-mail messages.
Installation
When the installer for this trojan is run, it creates the following files:
%ProgramFiles%\MailSkinner\anim_0.gif
%ProgramFiles%\MailSkinner\anim_help.gif
%ProgramFiles%\MailSkinner\MailSkinner.exe
%ProgramFiles%\MailSkinner\OLSkinner.dll
%ProgramFiles%\MailSkinner\uninst.exe
%windir%\pack.epk
%windir%\Temp\setup.exe
%windir%\Temp\msksetup.log
%windir%\Temp\license.dat
<system folder>\nvs2.inf
<system folder>\<random>.exe
<system folder>\<random>.dat
where <random> is a filename composed of random letters, e.g. abdvfctghz.exe or abdvfctghz.dat. The installer may also create the file %ProgramFiles%\MailSkinner\msbackup.dat. The installer program may create the following mutexes:
1C5F0C6B74194489B807401A853EB5E3
mymutsglwork
DBWinMutex
RasPbFile
eghost_p_mutex
eghost_f_mutex
eghost_kv_mutex
eghost_kn_mutex
The installer executes the dropped randomly named executable from the <system folder>, then modifies the registry to execute the installed copy of the trojan at each Windows start.
Adds value: MailSkinner
With data: %ProgramFiles%\MailSkinner\mailskinner.exe
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: <random>
With data: <system folder>\<random>.exe
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Win32/Skintrim may inject code into other processes. The installer may use REGSVR32 to install the DLL component.
The installer may create the following additional registry values:
HKEY_CLASSES_ROOT\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}
HKEY_CLASSES_ROOT\OutlookAddin.Addin.1
HKEY_CLASSES_ROOT\OutlookAddin.Addin
HKEY_CURRENT_USER\software\epk_extr
HKEY_CURRENT_USER\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}
HKEY_CURRENT_USER\software\mailskinner
HKEY_LOCAL_MACHINE\Software\MailSkinner
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Outlook\Addins\OutlookAddin.Addin
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\AppPaths\MailSkinner.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailSkinner
Payload
Downloads and Executes Arbitrary Files
Win32/Skintrim downloads and executes arbitrary files, including updates and additional malware, from a predefined Web site.
Displays Advertisements
Win32/Skintrim is active, it may display advertisements.
Additional Information
After installation, a message, similar to the following, may be displayed:
MailSkiner Setup
You can use MailSkinner with your outlook now. Enjoy
Lastly, the installer may open Internet Explorer to the following web page:
http://www.mailskinner.com/**************.php?nums=&hitname=MAILSKINNER
*This URL has been modified.
Analysis by Patrik Vicol