Mal/Pykse-A [Sophos], IM-Worm.Win32.Pykse.a [Kaspersky], W32/Pykse.worm.a [McAfee], W32/Pykse-B [Sophos]
Category: Computer Worm
Active & Spreading
Some parts of Asia, Europe, North and South America, Africa and Australia
16 Apr 2007
W32.Pyskpa.A first appeared on April 16, 2007. This is a worm that propagates via Skype Instant Messenger. This worm is also known as Mal/Pykse-A, IM-Worm.Win32.Pykse.a, W32/Pykse.worm.a and W32/Pykse-B. Windows 98. 95, XP, Me, NT, Server 2003 and 2000 are the operating systems that are mostly affected by this worm.
W32.Pykspa.A Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Pykspa.A from your computer.
More details about W32.Pykspa.A
Once W32.Pyskpa.A is executed, it creates [ORIGINAL FILE NAME EXECUTABLE].jpg and [RANDOM CHARACTERS].exe in the %Temp% folder. The worm also creates Invisible002.dll and Skype.exe under %System%. Then, the worm creates system registry entries and subkeys. After that, the worm displays an image that contains malicious threat. The worm sends itself out as a Skype Instant Message and has one of the following messages: matei kur sandros foto idejo?, ziurek kur sandros foto imeciau, kaip tau tokia? :D, paziurek kokia foto andrius atsiunte, pz ane?, bet cia nesveikai, (devil), (rofl), uj netau sry, netau cia or oi netau cia turejo but sory. Then, the worm accesses several URLs to download other files that contain threats.
The W32.Pyskpa.A software opens a pathway that allows a remote hacker remote access. This pathway is through a new port created by the RAT program. It acts as an unmonitored system opening called a backdoor. The hacker’s client program sends commands to the RAT application through this pathway. Data gathered from the system are also uploaded to the remote server via the backdoor.The RAT program is reportedly downloaded and installed by different downloader Trojan applications.