Follow:

 

Win32/Skintrim


Win32/Skintrim is a trojan that downloads and executes arbitrary files, including updates and additional malware, from a predefined Web site, and displays advertisements. This trojan may be distributed by certain Web sites as a Microsoft Outlook add-on used to display 'emoticons', (i.e. icons used to represent emotions) or other animated icons within e-mail messages.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Win32/Skintrim is a trojan that downloads and executes arbitrary files, including updates and additional malware, from a predefined Web site, and displays advertisements. This trojan may be distributed by certain Web sites as a Microsoft Outlook add-on used to display 'emoticons', (i.e. icons used to represent emotions) or other animated icons within e-mail messages.
Installation
When the installer for this trojan is run, it creates the following files:
%ProgramFiles%\MailSkinner\anim_0.gif
%ProgramFiles%\MailSkinner\anim_help.gif
%ProgramFiles%\MailSkinner\MailSkinner.exe 
%ProgramFiles%\MailSkinner\OLSkinner.dll
%ProgramFiles%\MailSkinner\uninst.exe
%windir%\pack.epk
%windir%\Temp\setup.exe
%windir%\Temp\msksetup.log
%windir%\Temp\license.dat
<system folder>\nvs2.inf
<system folder>\<random>.exe
<system folder>\<random>.dat
 
where <random> is a filename composed of random letters, e.g. abdvfctghz.exe or abdvfctghz.dat. The installer may also create the file %ProgramFiles%\MailSkinner\msbackup.dat. The installer program may create the following mutexes:
1C5F0C6B74194489B807401A853EB5E3
mymutsglwork
DBWinMutex
RasPbFile
eghost_p_mutex
eghost_f_mutex
eghost_kv_mutex
eghost_kn_mutex
The installer executes the dropped randomly named executable from the <system folder>, then modifies the registry to execute the installed copy of the trojan at each Windows start.
Adds value: MailSkinner
With data:  %ProgramFiles%\MailSkinner\mailskinner.exe
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run      
Adds value: <random>
With data: <system folder>\<random>.exe
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Win32/Skintrim may inject code into other processes. The installer may use REGSVR32 to install the DLL component.
The installer may create the following additional registry values:
HKEY_CLASSES_ROOT\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}
HKEY_CLASSES_ROOT\OutlookAddin.Addin.1
HKEY_CLASSES_ROOT\OutlookAddin.Addin
HKEY_CURRENT_USER\software\epk_extr
HKEY_CURRENT_USER\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}
HKEY_CURRENT_USER\software\mailskinner
HKEY_LOCAL_MACHINE\Software\MailSkinner
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Outlook\Addins\OutlookAddin.Addin
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\AppPaths\MailSkinner.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailSkinner
Payload
Downloads and Executes Arbitrary Files
Win32/Skintrim downloads and executes arbitrary files, including updates and additional malware, from a predefined Web site.
Displays Advertisements
Win32/Skintrim is active, it may display advertisements.
Additional Information
After installation, a message, similar to the following, may be displayed:
 
MailSkiner Setup
You can use MailSkinner with your outlook now. Enjoy
 
Lastly, the installer may open Internet Explorer to the following web page:
http://www.mailskinner.com/**************.php?nums=&hitname=MAILSKINNER
*This URL has been modified.
 
Analysis by Patrik Vicol

Symptoms

System Changes
The following system changes may indicate the presence of may be displayed:
  • Presence of the following folders and files:
    %ProgramFiles%\MailSkinner\anim_0.gif
    %ProgramFiles%\MailSkinner\anim_help.gif
    %ProgramFiles%\MailSkinner\MailSkinner.exe
    %ProgramFiles%\MailSkinner\OLSkinner.dll
    %ProgramFiles%\MailSkinner\uninst.exe
    %windir%\pack.epk
    %windir%\Temp\setup.exe
    %windir%\Temp\msksetup.log
    %windir%\Temp\license.dat
    <system folder>\nvs2.inf
    <system folder>\<random>.exe
    <system folder>\<random>.dat
  • Presence of the following registry values with data:
  • Value: MailSkinner
    With data:  %ProgramFiles%\MailSkinner\mailskinner.exe
    In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run      
    Value: <random>
    With data: <system folder>\<random>.exe
    In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • Presence of the following additional registry values:
    HKEY_CLASSES_ROOT\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}
    HKEY_CLASSES_ROOT\OutlookAddin.Addin.1
    HKEY_CLASSES_ROOT\OutlookAddin.Addin
    HKEY_CURRENT_USER\software\epk_extr
    HKEY_CURRENT_USER\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}
    HKEY_CURRENT_USER\software\mailskinner
    HKEY_LOCAL_MACHINE\Software\MailSkinner
    HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Outlook\Addins\OutlookAddin.Addin
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\AppPaths\MailSkinner.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MailSkinner

Prevention

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.
To turn on the Windows Firewall in Windows Vista
  1. Click Start, and click Control Panel.
  2. Click Security.
  3. Click Turn Windows Firewall on or off.
  4. Select On.
  5. Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

Alert level: Severe
This entry was first published on: Sep 01, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Mailskinner.34816 (AhnLab)
  • W32/Mailskinner.A (Command)
  • Generic2.BAZ (AVG)
  • MailSkinner (McAfee)
  • Adware/NaviPromo (Panda)
  • Mal/Behav-155 (Sophos)
  • Trojan.Skintrim (Symantec)
  • Trojan.Mailskinner.A (VirusBuster)
  • Adware.Win32.MailSkinner (other)