W32/Skyperise

Upon execution worm does following on victim's machine.

Worm initially looks for registry entry shown below which confirms presence of Skype on user's system.

• HKLM\System\SOFTWARE\Skype\Phone = "[Path of Skype application]"

When the Skype software is not found on user's system, an error message box is displayed as below.

When Skype software is found to be installed on user's system, the following message box is displayed.



The worm tries to access Skype resulting in a warning prompt from the Skype application to seek confirmation from the user:



Above two message boxes synchronize each other well to influence innocent user in clicking on OK for both message boxes to enable the worm to function as intended.

Worm gathers information about users at frequent intervals and sends the following message to those users as shown below.

At the time of writing, the URL sent by W32/Skyperise was unavailable.

Popping up of the mentioned message boxes.

Chat History on Skype indicating messages with the hyperlink as below:

Check this! [http://]marx2.[REMOVED].org/surp[REMOVED]

Worm propagates via Skype chat messages.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.