My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.IMWorm.Pykse.B

LOW
LOW
55k - 60k

Symptoms

Increase usage of network. Some internet explorer processes may run hidden (not visible in the task bar , but visible with task manager).

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dragos Gavrilut, virus researcher

Technical Description:

Pykse is a Skype worm. The main executable , copyies itself into the system directory with the name wsydrv32.exe. It then droppes a BHO in the same directory with the name msccfg1.dll. The internal name of that BHO is Invisible.dll

It creates a specific mutex (Skype Worm spreader mutex).

It then creates the following keys :
a) HKLM\Software\Microsoft\Windows\CurrentVersion\Run , value [System Driver] , that points to the copy of the main executable (usualy C:\Windows\System32\wsydrv32.exe )
b) HKCU\Software\Microsoft\Windows\CurrentVersion\Run , value [System Driver] , that points to the copy of the main executable (usualy C:\Windows\System32\wsydrv32.exe )
Those two keys ensure that the main executable is execute every time the computer is started.

c) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Brpwser Helper Object , value [Invisible] , that points to the BHO that the main executable dropts (usualy C:\Windows\System32\msccfg1.dll). Each time , iexplorer is started , this BHO is loaded.

The worm sends the following instant messages using Skype:
a) oi netau cia turejo but sory
b) netau cia
c) uj netau sry
d) (rofl)
e) (devil)
f) bet cia nesveikai
g) pz ane?
h) paziurek kokia foto andrius atsiunte
i) kaip tau tokia? :D
j) ziurek kur sandros foto imeciau
k) matei kur sandros foto idejo?
l) labas

It display a picture of a woman.


The worm sends different link that can download a new version of Pykse.
http://www.p[removed].ru/foto_galerija/sandra.jpg
http://www.p[removed].ru/lietuvaites/sandra.jpg
http://www.p[removed].ru/lietuvaites/sand.jpg
http://www.p[removed].ru/foto_galerija/sand.jpg
http://www.p[removed].ru/foto_galerija/sandra.jpg

This is actualy an executable file (not a jpeg image) that , once executed , installes the worm and then show the picture of a women.