Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the worm drops a JPEG file in the %temp% folder. Name of the file is identical to that of the original executable, jpg extension is used instead. The worm opens the file using the default image viewer.

Another executable with a random name is dropped in the same folder. Size of the file is 96 kB. The file is then executed.

The following file is dropped in the %system% or %temp% folder:

Invisible002.dll

Size of the file is 56 kB. The worm registers it as a Browser Helper Object for Internet Explorer.

The worm keeps various information in the following Registry key:

HKEY_CURRENT_USER\Software\SkypeWorm\cfg

 

Spreading

If Skype is found on the infected system, a message containing an URL is sent to all Skype contacts. The message may contain one of the following:

(devil)
(rofl)
:)
:D
bet cia nesveikai
kaip tau tokia? :D
labas
matei kur sandros foto idejo?
netau cia
oi netau cia turejo but sory
paziurek kokia foto andrius atsiunte
pz ane?
uj netau sry
ziurek kur sandros foto imeciau

The URL points to malicious content connected to Win32/Persky.A.