TrojanDropper:Win32/MessengerSkinner is a program, that may be distributed in the form of a freeware application, that displays advertisements, downloads additional files, and uses stealth to hide its presence.
Installation
During install, an 'end user license agreement' (EULA) may be presented, however it is different from the EULA you see by clicking "Terms and Conditions" from the program entry on the Start menu. The new EULA notifies the user of intensive collection of browsing habits, and computer information, and also the continuation of advertisements up to 3 moths after the program is removed (uninstalled).
When executed, the installer creates the following folders:
%ProgramFiles%\messengerskinner
%ProgramFiles%\messengerskinner\resources
%ProgramFiles%\messengerskinner\download
%ProgramFiles%\messengerskinner\updates
%UserProfile%\start menu\programs\messengerskinner
%AppData%\messengerskinner
%AppData%\messengerskinner\userdata
Next, the installer adds these files to folders:
%AppData%\MessengerSkinner\Userdata\languages_v2.xml
%UserProfile%\Start Menu\Programs\MessengerSkinner\MessengerSkinner.lnk
%UserProfile%\Start Menu\Programs\MessengerSkinner\Privacy Policy.lnk
%UserProfile%\Start Menu\Programs\MessengerSkinner\Terms and conditions.lnk
%UserProfile%\Start Menu\Programs\MessengerSkinner\Website.lnk
%ProgramFiles%\MessengerSkinner\MessengerSkinner.exe
%ProgramFiles%\MessengerSkinner\MessengerSkinnerDll.dll
%ProgramFiles%\MessengerSkinner\Privacy Policy.url
%ProgramFiles%\MessengerSkinner\Terms and conditions.url
%ProgramFiles%\MessengerSkinner\uninst.exe
%ProgramFiles%\MessengerSkinner\Website.url
%ProgramFiles%\MessengerSkinner\download\defaultPack.cab
%ProgramFiles%\MessengerSkinner\resources\appconfig.xml
%ProgramFiles%\MessengerSkinner\resources\btn.rgn
%ProgramFiles%\MessengerSkinner\resources\btnBnr.rgn
%ProgramFiles%\MessengerSkinner\resources\btnIn.rgn
%ProgramFiles%\MessengerSkinner\resources\btnInNormal.bmp
%ProgramFiles%\MessengerSkinner\resources\btnInOver.bmp
%ProgramFiles%\MessengerSkinner\resources\btnNormal.bmp
%ProgramFiles%\MessengerSkinner\resources\btnNormal.gif
%ProgramFiles%\MessengerSkinner\resources\btnNormalBnr.bmp
%ProgramFiles%\MessengerSkinner\resources\btnNormalBnr.gif
%ProgramFiles%\MessengerSkinner\resources\btnOver.bmp
%ProgramFiles%\MessengerSkinner\resources\btnOver.gif
%ProgramFiles%\MessengerSkinner\resources\btnOverBnr.bmp
%ProgramFiles%\MessengerSkinner\resources\btnOverBnr.gif
%ProgramFiles%\MessengerSkinner\resources\languages_v2.xml
%WinDir%\Temp\NSIS_install_msgskinner.exe
%ProgramFiles%\messengerskinner\download\defaultpack.cab
The installer drops two stealth components as the following files:
<system folder>\<random>.exe
<system folder>\<random>.dat
TrojanDropper:Win32/MessengerSkinner makes the following registry modification to ensure that it runs at each Windows start:
Adds value: <random>
With data: "<system folder>\<random>.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVerion\Run
The installer makes additional registry modifications.
Adds value: MessengerSkinner
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE
Adds value: epk_extr
To subkey: HKEY_CURRENT_USER\SOFTWARE
Adds value: MessengerSkinner
With data: %ProgramFiles%\MessengerSkinner\uninst.exe
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
TrojanDropper:Win32/MessengerSkinner may attempt to update itself by downloading additional programs from remote web sites.
