Pykse Worm Variant

Original issue date: September 14, 2007

Pykse worm variant has been observed circulating in the wild. The propagation of the new variant is via Skype Instant Messanger or removable drives. The worm chats to all the skype contacts that it gathers from the infected system and ask them to download copy of itself using social engineering techniques. It is capable of checking Skype language settings and chatting accordingly.

Variants: WORM_SKIPI.A [Trend], W32/Pykse.worm.b [McAfee], WORM_SKIPI.B [Trend], W32.Pykspa.D [Symantec]

Upon execution the worm :

• Copies itself in WINDOWS system folder as mshtmldat32.exe , sdrivew32.exe , winlgcvers.exe , wndrivs32.exe.
  
  
• Creates the following registry entries to ensure its
  execution at every system start up.

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\RunOnce\"Services Start" =
  "mshtmldat32.exe"

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
  CurrentVersion\Winlogon\"Windows Sys" = "explorer.exe
  mshtmldat32.exe"

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
  CurrentVersion\Winlogon\"Logon Settings" =
  "mshtmldat32.exe

• Creates the following mutex so that only one instance of the worm runs at a time.
  pyksp2.0.0.3gM-2oo8&-825190

• Opens and displays the graphic file Soap Bubbles.bmp located at WINDOWS system folder.
  
  
• Ends the security related processes running on the infected system.
  
  
• Modifies the hosts file for effectively disabling the access to security related websites.
  
  
• Sends chat messages containing malicious links ( a copy of worm) which appears to be a .JPG image file to each Skype contact that it gathers from the infected system. On clicking the link, actual malware file .scr get downloaded on to the system.
  
  
• Sends the chat messages like:
  
   (mm) kaip as taves noriu
   how are u ? :)
   look what crazy photo Tiffany sent to me,looks cool
   ziurek kur tavo foto imeciau :D
   where I put ur photo :D
   kas cia tavim taip isderge ? =]]
  

The message language depends upon the Skype language settings. The worm is capable of sending chat messages in different languages ( Latvian, Russian, and English ).

•  Tries to connect to malicious weblinks.

•  Creates the following files on removable drives:
[DRIVE LETTER]:\game.exe
[DRIVE LETTER]:\zjbs.exe

also creates the file autorun.inf on same location for its execution when accessing the drive.

In view of rapid propagation of the worm, users are advised to implement following countermeasures:

• Install and maintain a updated anti-virus software at gateway and desktop level.
• Keep up-to-date anti-spyware signatures.
• Keep up-to-date on patches and fixes on the operating system and application software.
• Do not follow the unsolicited links embedded in the skype messages.

References

http://www.symantec.com/enterprise/security_response/
writeup.jsp?docid=2007-091011-2911-99&tabid=2

http://www.symantec.com/security_response/writeup.jsp
?docid=2007-091011-2911-99

http://www.cert-in.org.in/virus/Pykse_Worm.htm

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003