W32/Skyperise

**Anilrgowda** · 22-Jan-2007, 09:52 AM

Virus Profile: W32/Skyperise

Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 12/20/2006 Date Added: 12/20/2006 Origin: N/A Length: 14,848 bytes Type: Virus SubType: Internet Worm DAT Required: 4923 Virus Characteristics

Upon execution worm does following on victim's machine.
Worm initially looks for registry entry shown below which confirms presence of Skype on user's system.

HKLM\System\SOFTWARE\Skype\Phone = "[Path of Skype application]"

When the Skype software is not found on user's system, an error message box is displayed as below.

When Skype software is found to be installed on user's system, the following message box is displayed.

The worm tries to access Skype resulting in a warning prompt from the Skype application to seek confirmation from the user:

Above two message boxes synchronize each other well to influence innocent user in clicking on OK for both message boxes to enable the worm to function as intended.

Worm gathers information about users at frequent intervals and sends the following message to those users as shown below.

At the time of writing, the URL sent by W32/Skyperise was unavailable.

Indications of Infection

Popping up of the mentioned message boxes.
Chat History on Skype indicating messages with the hyperlink as below:
Check this! [http://]marx2.[REMOVED].org/surp[REMOVED]

Method of Infection

Worm propagates via Skype chat messages.

Removal Instructions

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations

Aliases

W32.Chatosky (Symantec), Win32.Skyperise (Kaspersky), Win32/Chatosky.A (CA VET), WORM_SKYPERISE.A (Trend Micro)

22-Jan-2007, 09:52 AM	#1 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	W32/Skyperise Virus Profile: W32/Skyperise Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 12/20/2006 Date Added: 12/20/2006 Origin: N/A Length: 14,848 bytes Type: Virus SubType: Internet Worm DAT Required: 4923 Virus Characteristics Upon execution worm does following on victim's machine. Worm initially looks for registry entry shown below which confirms presence of Skype on user's system. HKLM\System\SOFTWARE\Skype\Phone = "[Path of Skype application]" When the Skype software is not found on user's system, an error message box is displayed as below. When Skype software is found to be installed on user's system, the following message box is displayed. The worm tries to access Skype resulting in a warning prompt from the Skype application to seek confirmation from the user: Above two message boxes synchronize each other well to influence innocent user in clicking on OK for both message boxes to enable the worm to function as intended. Worm gathers information about users at frequent intervals and sends the following message to those users as shown below. At the time of writing, the URL sent by W32/Skyperise was unavailable. Indications of Infection Popping up of the mentioned message boxes. Chat History on Skype indicating messages with the hyperlink as below: Check this! [http://]marx2.[REMOVED].org/surp[REMOVED] Method of Infection Worm propagates via Skype chat messages. Removal Instructions A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files. Additional Windows ME/XP removal considerations Aliases W32.Chatosky (Symantec), Win32.Skyperise (Kaspersky), Win32/Chatosky.A (CA VET), WORM_SKYPERISE.A (Trend Micro)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)