W32.Pykspa.A


Aliases: Mal/Pykse-A [Sophos], IM-Worm.Win32.Pykse.a [Kaspersky], W32/Pykse.worm.a [McAfee], W32/Pykse-B [Sophos]
Variants: W32/Pykse.worm.b

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 16 Apr 2007
Damage: Low

Characteristics: W32.Pyskpa.A first appeared on April 16, 2007. This is a worm that propagates via Skype Instant Messenger. This worm is also known as Mal/Pykse-A, IM-Worm.Win32.Pykse.a, W32/Pykse.worm.a and W32/Pykse-B. Windows 98. 95, XP, Me, NT, Server 2003 and 2000 are the operating systems that are mostly affected by this worm.

More details about W32.Pykspa.A

Once W32.Pyskpa.A is executed, it creates [ORIGINAL FILE NAME EXECUTABLE].jpg and [RANDOM CHARACTERS].exe in the %Temp% folder. The worm also creates Invisible002.dll and Skype.exe under %System%. Then, the worm creates system registry entries and subkeys. After that, the worm displays an image that contains malicious threat. The worm sends itself out as a Skype Instant Message and has one of the following messages: matei kur sandros foto idejo?, ziurek kur sandros foto imeciau, kaip tau tokia? :D, paziurek kokia foto andrius atsiunte, pz ane?, bet cia nesveikai, (devil), (rofl), uj netau sry, netau cia or oi netau cia turejo but sory. Then, the worm accesses several URLs to download other files that contain threats.

The W32.Pyskpa.A software opens a pathway that allows a remote hacker remote access. This pathway is through a new port created by the RAT program. It acts as an unmonitored system opening called a backdoor. The hacker’s client program sends commands to the RAT application through this pathway. Data gathered from the system are also uploaded to the remote server via the backdoor.The RAT program is reportedly downloaded and installed by different downloader Trojan applications.