Alert level

Worm:Win32/Pykspa.A


Encyclopedia entry
Updated: Sep 14, 2007  |  Published: Sep 11, 2007

Aliases
  • Win32/Pykbub.C (CA)
  • Worm.Win32.Skipi.b (Kaspersky)
  • W32/Pykse.worm.b (McAfee)
  • W32/Pykspa.D (Norman)
  • Mal/Behav-103 (Sophos)
  • Worm.Win32.Skipi.b (Sunbelt Software)
  • W32.Pykspa.D (Symantec)
  • WORM_SKIPI.A (Trend Micro)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008

Summary

Worm:Win32/Pykspa.A is a worm that sends instant-messages on behalf of a user logged into Skype, an Internet chat client application. Messages sent contain a link to a remote Web site hosting a copy of the worm. Worm:Win32/Pykspa.A terminates processes, and redirects Web browser connections for various security-related Web sites to random IP addresses.

Top

Symptoms

The following symptoms may be indicative of a Worm:Win32/Pykspa.A infection:
  • Contact notification that a message was sent with strange content, and a link to a Web site
  • Presence of these files in the <system> folder:
     mshtmlsh32.exe
     sdrivec32.exe
     winlgcverx.exe
     wndrivsd32.exe
  • Presence of these registry keys:
    Value: Services Start<random digit>
    With data: mshtmlsh32.exe
    In subkey:
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 
    Value: Logon Settings<random digit>
    With data: mshtmlsh32.exe
    Value: Windows Sysdat
    With data: explorer.exe mshtmlsh32.exe
    In subkey:
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • An enlarged HOSTS file containing numerous references to security related Web sites such as the following:
     152.33.175.124 www.symantec.comsecurityresponse.symantec.com
     106.68.249.248 pandasoftware.com
     127.86.43.21 www.pandasoftware.com
     18.9.227.56 sophos.com
     158.164.230.187 www.sophos.com
     255.248.27.63 mcafee.com
     212.150.219.68 www.mcafee.com
     41.63.104.247 downloads-us1.kaspersky-labs.com
  • Sudden termination of security related applications or services after becoming infected

Top

Technical Information (Analysis)

Worm:Win32/Pykspa.A is a worm that sends instant-messages on behalf of a user logged into Skype, an Internet chat client application. Messages sent contain a link to a remote Web site hosting a copy of the worm. Worm:Win32/Pykspa.A terminates processes, and redirects Web browser connections for various security-related Web sites to random IP addresses.
 
Worm:Win32/Pykspa.A may be introduced to a system in two ways:
  • clicking a link referencing a remote Web site hosting a copy of the worm
  • mounting an infected removable drive with "autorun" feature enabled
 
If Worm:Win32/Pykspa.A is run, it will perform the following actions:
  • Displays the Windows bitmap file "Soap Bubbles.bmp" found in the %WinDir% folder to minimize suspicion
  • Drops copies of itself into the <system> folder
     mshtmlsh32.exe
     sdrivec32.exe
     winlgcverx.exe
     wndrivsd32.exe
  • Modifies the registry to run copies of the worm at Windows startup:
    Adds value: Services Start<random digit>
    With data: mshtmlsh32.exe
    In subkey:
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    Adds value: Logon Settings<random digit>
    With data: mshtmlsh32.exe
    Adds value: Windows Sysdat
    With data: explorer.exe mshtmlsh32.exe
    In subkey:
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Enumerates all removable drives using the Windows API GetDriveType and drops files into the root of drives found:
     game.exe
     zjbs.exe (sets file attributes system, hidden, read-only)
     autorun.inf (sets file attributes system, hidden, read-only)
    The startup configuration file autorun.inf contains instructions to autorun the file zjbs.exe using the Windows application "Windows Picture and Fax Viewer"
  • Modifies the Windows domain name server resolution file HOSTS to redirect Web browser connections for various security-related Web sites to random IP addresses, as in these examples:
     …
     152.33.175.124 www.symantec.comsecurityresponse.symantec.com
     106.68.249.248 pandasoftware.com
     127.86.43.21 www.pandasoftware.com
     18.9.227.56 sophos.com
     158.164.230.187 www.sophos.com
     255.248.27.63 mcafee.com
     212.150.219.68 www.mcafee.com
     41.63.104.247 downloads-us1.kaspersky-labs.com
  • Locates running process Skype in all Windows sessions and when found
    • composes messages using this list of text
      (happy)
      sky
      ops
      pala biski
      as net nezinau ka tavo vietoj daryciau.
      matai :D
      geras ane ?
      patinka?
      kas cia tavim taip isderge ? =]]
      cia biski su photoshopu pazaidziau bet bet irgi gerai atrodai :D
      cia tu isimetei ?
      zek kur tavo foto metos isdergta
      (mm) kaip as taves noriu
      ziurek kur tavo foto imeciau :D
      esi?
      labas
      what ur friend name wich is in photo ?
      this (happy) sexy one
      u happy ?
      oh sry not for u
      oops sorry please don't look there :S
      you checked ?
      (rofl)
      (devil)
      really funny
      now u populr
      haha lol
      look what crazy photo Tiffany sent to me,looks cool
      I used photoshop and edited it
      where I put ur photo :D
      your photos looks realy nice
      look
      how are u ? :)
      hey
    • sends a message to each online contact with a constructed message body
    • includes a hyperlink to a remote Web site hosting a copy of the worm
    • sets the status of the logged in Skype user to DND
  • Enumerates running processes and compares them to this list of partial file names, and terminates matching processes:
    ACKWIN32
    ADAWARE
    ADVXDWIN
    AGENTSVR
    AGENTW
    ALERTSVC
    ALEVIR
    ALOGSERV
    AMON9X
    AMON
    ANTI-TROJAN
    ANTIVIRUS
    ANTS
    APIMONITOR
    APLICA32
    APVXDWIN
    ARR
    ATCON
    ATGUARD
    ATRO55EN
    ATUPDATER
    ATUPDATER
    ATWATCH
    AUPDATE
    AUPDATE
    AUTODOWN
    AUTODOWN
    AUTOTRACE
    AUTOTRACE
    AUTOUPDATE
    AUTOUPDATE
    AVCONSOL
    AVE32
    AVGCC32
    AVGCTRL
    AVGNT
    AVGSERV
    AVGSERV9
    AVGUARD
    AVGW
    AVKPOP
    AVKSERV
    AVKSERVICE
    AVKWCTl9
    AVLTMAIN
    AVNT
    AVP
    AVP32
    AVPCC
    AVPDOS32
    AVPM
    AVPTC32
    AVPUPD
    AVPUPD
    AVSCHED32
    AVSYNMGR
    AVWIN95
    AVWINNT
    AVWUPD
    AVWUPD32
    AVWUPD32
    AVWUPSRV
    AVXMONITOR9X
    AVXMONITORNT
    AVXQUAR
    AVXQUAR
    BACKWEB
    BARGAINS
    BD_PROFESSIONAL
    BEAGLE
    BELT
    BIDEF
    BIDSERVER
    BIPCP
    BIPCPEVALSETUP
    BISP
    BLACKD
    BLACKICE
    BLSS
    BOOTCONF
    BOOTWARN
    BORG2
    BPC
    BRASIL
    BS120
    BUNDLE
    BVT
    CCAPP
    CCEVTMGR
    CCPXYSVC
    CDP
    CFD
    CFGWIZ
    CFIADMIN
    CFIAUDIT
    CFIAUDIT
    CFINET
    CFINET32
    CLAW95CF
    CLEAN
    CLEANER
    CLEANER3
    CLEANPC
    CLICK
    CMD32
    CMESYS
    CMGRDIAN
    CMON016
    CPD
    CPF9X206
    CPFNT206
    CTRL
    CWNB181
    CWNTDWMO
    Claw95
    CLAW95CF
    DATEMANAGER
    DCOMX
    DEFALERT
    DEFSCANGUI
    DEFWATCH
    DEPUTY
    DIVX
    DLLCACHE
    DLLREG
    DOORS
    DPF
    DPFSETUP
    DPPS2
    DRWATSON
    DRWEB32
    DRWEBUPW
    DSSAGENT
    DVP95
    DVP95_0
    ECENGINE
    EFPEADM
    EMSW
    ENT
    ESAFE
    ESCANH95
    ESCANHNT
    ESCANV95
    ESPWATCH
    ETHEREAL
    ETRUSTCIPE
    EVPN
    EXE.AVXW
    EXPERT
    EXPLORE
    F-AGNT95
    F-PROT
    F-PROT95
    F-STOPW
    FAMEH32
    FAST
    FCH32
    FIH32
    FINDVIRU
    FIREWALL
    FLOWPROTECTOR
    FNRB32
    FP-WIN
    FP-WIN_TRIAL
    FPROT
    FRW
    FSAA
    FSAV
    FSAV32
    FSAV530STBYB
    FSAV530WTBYB
    FSAV95
    FSGK32
    FSM32
    FSMA32
    FSMB32
    GATOR
    GBMENU
    GBPOLL
    GENERICS
    GMT
    GUARD
    GUARDDOG
    HACKTRACERSETUP
    HBINST
    HBSRV
    HOTACTIO
    HOTPATCH
    HTLOG
    HTPATCH
    HWPE
    HXDL
    HXIUL
    IAMAPP
    IAMSERV
    IAMSTATS
    IBMASN
    IBMAVSP
    ICLOAD95
    ICLOADNT
    ICMON
    ICSUPP95
    ICSUPP95
    ICSUPPNT
    IDLE
    IEDLL
    IEDRIVER
    IEXPLORER
    IFACE
    IFW2000
    INETLNFO
    INFUS
    INFWIN
    INIT
    INTDEL
    INTREN
    IOMON98
    IPARMOR
    IRIS
    ISASS
    ISRV95
    ISTSVC
    JAMMER
    JDBGMRG
    JEDI
    KAVLITE40ENG
    KAVPERS40ENG
    KAVPF
    KAZZA
    KEENVALUE
    KERNEL32
    LAUNCHER
    LDNETMON
    LDPRO
    LDPROMENU
    LDSCAN
    LNETINFO
    LOADER
    LOCALNET
    LOCKDOWN
    LOCKDOWN2000
    LOOKOUT
    LORDPE
    LSETUP
    LUALL
    LUALL
    LUAU
    LUCOMSERVER
    LUINIT
    LUSPT
    MAPISVC32
    MCAGENT
    MCMNHDLR
    MCSHIELD
    MCTOOL
    MCUPDATE
    MCUPDATE
    MCVSRTE
    MCVSSHLD
    MFIN32
    MFW2EN
    MFWENG3.02D30
    MGAVRTCL
    MGAVRTE
    MGHTML
    MGUI
    MINILOG
    MMOD
    MONITOR
    MOOLIVE
    MOSTAT
    MPFAGENT
    MPFSERVICE
    MPFTRAY
    MRFLUX
    MSAPP
    MSBB
    MSBLAST
    MSCACHE
    MSCCN32
    MSCMAN
    MSCONFIG
    MSDM
    MSDOS
    MSIEXEC16
    MSINFO32
    MSLAUGH
    MSMGT
    MSMSGRI32
    MSSMMC32
    MSSYS
    MSVXD
    MU0311AD
    MWATCH
    N32SCANW
    NAV
    NAVAP.NAVAPSVC
    NAVAPSVC
    NAVAPW32
    NAVDX
    NAVLU32
    NAVNT
    NAVSTUB
    NAVW32
    NAVWNT
    NC2000
    NCINST4
    NDD32
    NEOMONITOR
    NEOWATCHLOG
    NETARMOR
    NETD32
    NETINFO
    NETMON
    NETSCANPRO
    NETSTAT
    NETUTILS
    NISSERV
    NISUM
    NMAIN
    NOD32
    NOD32CC
    NOD32M2
    NORMIST
    NOTSTART
    NPFMESSENGER
    NPROTECT
    NPSCHECK
    NPSSVC
    NSCHED32
    NSSYS32
    NSTASK32
    NSUPDATE
    NTRTSCAN
    NTVDM
    NTXconfig
    NUI
    NUPGRADE
    NUPGRADE
    NVARCH16
    NVC95
    NVSVC32
    NWINST4
    NWSERVICE
    NWTOOL16
    OLLYDBG
    ONSRVR
    OPTIMIZE
    OSTRONET
    OTFIX
    OUTPOST
    OUTPOST
    OUTPOSTINSTALL
    PADMIN
    PANIXK
    PATCH
    PAVCL
    PAVPROXY
    PAVSCHED
    PAVW
    PCC2002S902
    PCC2K_76_1436
    PCCIOMON
    PCCNTMON
    PCCWIN97
    PCCWIN98
    PCDSETUP
    PCFWALLICON
    PCIP10117_0
    PCSCAN
    PDSETUP
    PENIS
    PERISCOPE
    PERSFW
    PERSWF
    PF2
    PFWADMIN
    PGMONITR
    PINGSCAN
    PLATIN
    POP3TRAP
    POPROXY
    POPSCAN
    PORTDETECTIVE
    PORTMONITOR
    POWERSCAN
    PPINUPDT
    PPTBC
    PPVSTOP
    PRIZESURFER
    PRMT
    PRMVR
    PROCDUMP
    PROCESSMONITOR
    PROGRAMAUDITOR
    PROPORT
    PROTECTX
    PSPF
    PURGE
    PUSSY
    PVIEW95
    QCONSOLE
    QSERVER
    RAPAPP
    RAV7
    RAV7WIN
    RAV8WIN32ENG
    RAY
    RB32
    RCSYNC
    REALMON
    REGED
    REGEDIT
    REGEDT32
    RESCUE
    RESCUE32
    RRGUARD
    RSHELL
    RTVSCAN
    RTVSCN95
    RULAUNCH
    RUN32DLL
    RUNDLL
    RUNDLL16
    RUXDLL32
    SAFEWEB
    SAHAGENT
    SAVE
    SAVENOW
    SBSERV
    SCAM32
    SCAN32
    SCAN95
    SCANPM
    SCRSCAN
    SCRSVR
    SCVHOST
    SERV95
    SERVICE
    SERVLCE
    SERVLCES
    SETUPVAMEEVAL
    SFC
    SGSSFW32
    SHELLSPYINSTALL
    SHN
    SHOWBEHIND
    SMC
    SMS
    SMSS32
    SOAP
    SOFI
    SPERM
    SPF
    SPHINX
    SPOLER
    SPOOLCV
    SPOOLSV32
    SPYXX
    SREXE
    SRNG
    SS3EDIT
    SSGRATE
    SSG_4104
    ST2
    START
    STCLOADER
    SUPFTRL
    SUPPORT
    SUPPORTER5
    SVC
    SVCHOSTC
    SVCHOSTS
    SVSHOST
    SWEEP95
    SYMPROXYSVC
    SYMTRAY
    SYSEDIT
    SYSTEM
    SYSTEM32
    SYSUPD
    TASKMG
    TASKMO
    TASKMON
    TAUMON
    TBSCAN
    TCA
    TCM
    TDS-3
    TDS2-98
    TDS2-NT
    TEEKIDS
    TFAK
    TFAK5
    TGBOB
    TITANIN
    TITANINXP
    TRACERT
    TRICKLER
    TRJSCAN
    TRJSETUP
    TROJANTRAP3
    TSADBOT
    TVMD
    TVTMD
    UNDOBOOT
    UPDAT
    UPDATE
    UPDATE
    UPGRAD
    UTPOST
    VBCMSERV
    VBCONS
    VBUST
    VBWIN9X
    VBWINNTW
    VCSETUP
    VET32
    VET95
    VETTRAY
    VFSETUP
    VIR-HELP
    VNLAN300
    VNPC3000
    VPC32
    VPC42
    VPFW30S
    VPTRAY
    VSCAN40
    VSCENU6.02D30
    VSCHED
    VSECOMR
    VSHWIN32
    VSISETUP
    VSMAIN
    VSMON
    VSSTAT
    VSWIN9XE
    VSWINNTSE
    VSWINPERSE
    W32DSM89
    W9X
    WATCHDOG
    WEBDAV
    WEBSCANX
    WEBTRAP
    WFINDV32
    WGFE95
    WHOSWATCHINGME
    WIMMUN32
    WIN-BUGSFIX
    WIN32
    WIN32US
    WINACTIVE
    WINDOW
    WINDOWS
    WININETD
    WININIT
    WININITX
    WINLOGIN
    WINMAIN
    WINNET
    WINPPR32
    WINRECON
    WINSERVN
    WINSSK32
    WINSTART
    WINSTART001
    WINTSK32
    WINUPDATE
    WKUFIND
    WNAD
    WNT
    WRADMIN
    WRCTRL
    WSBGATE
    WUPDATER
    WUPDT
    XPF202EN
    ZAPRO
    ZAPSETUP3001
    ZATUTOR
    ZONALM2601
    ZONEALARM
    _AVP32
    _AVPCC
    _AVPM
    HIJACKTHIS
    F-AGOBOT
    OLLYDBG
    W32DSM89
    TCPVIEW
    REGCLEANER
    RERGCLEANR
    APORTS
    BCW
    FPORT
    PMON
    53ARCH
    PEDASM
    SRIN
    CRACKER
    PMDUMP
    DUMP
    LOADER
    CLIENT
    ARMKILLER
    IISLOCKD
    TEST
    CONDOM
    WINDBG
    LOGGER
    HONEYD
    LOGVIEWER
    FRHED
    WINDUMP
    KAV
    KAVSVC
    NOD32KRN
    NOD32KUI
    pexplorer
    PROCEXP
    ICESWORD
  • Connects to remote Web sites and attempts to download either index.htm or index.php, potentially downloading additional programs or malware

Top

Prevention

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use caution with attachments and file transfers.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

Use caution with attachments and file transfers

Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

Top

Recovery

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx.

Take steps to prevent re-infection

You should not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.

Top