Dear all,

Facing the problems of this new virus within our own network, we've developed a small little utility which manages to remove the virus (at least on our systems). It's certainly not perfect (and you should definitely re-scan your machine once your virus scanner manufacturer has released some update patterns), but maybe it can be helpful to some of you.

The utility is available here:
https://secure.agbnielsen.com/skype-removal/

You are most welcome to download the source code and recompile it yourself if you don't trust the binary. Please also do read the "readme_first.html" page on this site before you download it.

Feel free to post any feedback about this if you would like to. If you wish to distribute this, please do link to this forum post instead of the download site directly, so that it can possibly be moved if our systems can't compete with the amount of bandwidth required - however I don't think that will be the case.

Kind Regards,

Dominik

I hope a default Host file is being created so that 127.0.0.1 is still there as it is in most cases?

The current version is not doing this, no. I was testing the behaviour of Windows, and it seems that "localhost" (+ the %COMPUTERNAME env. setting) is still resolved to 127.0.0.1 by default. So even if you delete the hosts file, those names will still be resolved properly.

There is also a rumor that there are entries that have been added in approved programs for Skype, is this true? and if so, are you removing these entries?

Please be aware, you may addtionally need to check your approved programs that work with Skype:

Tools -> Options -> Advanced -> Manage Other Programs That Access Skype

If you see something that looks strange REMOVE it.

Quick edit. Sorry, I misunderstood your posting.

No, I'm not checking the list of approved programs for Skype. To be honest, I was not even aware of this, I don't think the Linux version has that functionality.

Then again, I dare to poke the developers here a bit if this is the case. If it is that easy to alter the configuration of "Approved Programs for Skype" from an external source, there's not much point in having it, right? Since any application who would like to interact with Skype then would simply "approve" itself.

PLEASE be very careful, people are saying that the host file was modified to make sure some virus scanners could NOT get to their sites to update their scanning files, please take it SLOW, also, there may be entries in the programs allowed to access Skype, this is why we need to be careful about suggesting a 100 cleanup. There maybe some manual steps still required to be 100 percent clean at this time.

That's true. I did not reverse-engineer the virus code, so all I could do was something to take action against the obvious traces it leaves within the system. The utility provided is likely not a 100% cleanup, but it is - as of now - enough to terminate the running instances of the virus, prevent it from restarting again upon a reboot, and allow virus scanners to get their updates.

I think it is still important to remind Skype users that they still need to take the step to manually remove any approved program which was added by this. I don't have the names of these entries, because I have NOT infected myself, but maybe you could supply them and add the instructions to manually remove them?

Something, like

Please be aware, you may addtionally need to check your approved programs that work with Skype:

Tools -> Options -> Advanced -> Manage Other Programs That Access Skype

If you see something that looks strange REMOVE it.

But maybe with the names of the entries to remove.

Since I can't check this myself as of now, I'll just add your advice to the readme file on the web server, so people will read it. If anyone is able to provide more information about those malicious programs, I'll certainly list them too. Is that ok for you?


Also, to the rest of you: If the utility is working (or not) for you, I'd greatly appreciate it if you could just drop a line here to let me know.

Worth mentioning:

After running Dominik's tool, you need to make sure the "bad programs" are also removed.

Kaspersky has updates for this trojan --> so you can use their free online scanner --> http://www.kaspersky.com/virusscanner

If you have System Restore enabled, make sure you don't revert to a virused state.

BTW --> tool works, thanks Dominik!!!

You're most welcome.

Also, if you can tell me which "bad programs" need to be removed, I can add them to the program. Or is this referring to Skype's list of approved programs, too?

Not sure if you can do this:

C:\Documents and Settings\username\Local Settings\Application Data\Mozilla\Firefox\Profiles\4uagujnj.default\Cache\C5362032d01 Infected: Worm.Win32.Skipi.b

ments and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\EVUDMOIC\dsc027[1].scr Infected: Worm.Win32.Skipi.b

C:\WINDOWS\system32\winlgcverx.exe Infected: Worm.Win32.Skipi.b

C:\WINDOWS\system32\sdrivec32.exe Infected: Worm.Win32.Skipi.b

Probably a temporary files cleaning will be better.

Hmm. Considering that the virus can only spread through downloads, it's unlikely that it's a polymorphic variant. Would you mind getting an MD5 checksum of the .scr file? If it's the same everywhere, it should be easy to find while scanning those directories.

C:\WINDOWS\system32\winlgcverx.exe

D3B2B81BA7745932B16C38885058A4C9

Not sure if I had the checksum created correctly, I only have windows now and I used http://www.download.com/MD5-Checker/3000-2092-10410639.html