Beware Of Skype Adware

June 24, 2014 - 2 min read

Contents

Article
More blogs

During our daily log analysis, we recently encountered a sample purporting to power up Skype with different emoticons. The binary, when installed, integrated itself with Skype and sent the following message contacts without further intervention.

The binary in question (SkypEmoticons.exe) can be downloaded from hxxp://skypemoticons.com/.

Home page of hxxp://skypemoticons.com/

After installation it dropped following executable files:

Most of the dropped files are Adware which may lead to some malicious activities.

Here is the VT report for SkypeEmotions.exe.

VT reports of the various dropped samples:

MD5	VT Hits
aa9af86b02f4e497eb0284872b50af41	21/54
e96f6d6257bdcb54c297569d42219e97	22/54
1d283dd3ae2312eee624e8b8c46f6adb	45/51
666ab79b63833a2a2502c119f0843b4a	22/54
364207a743ff39207667a0c89ff38768	20/53
02861acc8be1b59be2db226947a384b2	5/54
23912df27a61ea0463c5509ba6a97579	38/52
cee68ad38668785cd39e37ca069f8b85	19/54
b4eb856acc30b0005a44b87566850fb3	3/54
2830932fca42074f17c46c56b4942ac2	23/54

Contacted sites from which dropped files were downloaded:

hxxp://homebestmy.info
hxxp://superstoragemy.com
hxxp://setepicnew.info
hxxp://198.7.61.118
hxxp://54.187.76.32
hxxp://54.213.103.160

We also observed User-Agent: TixDll being used for downloading the files, which provided a handy mechanism to do some data mining and identify other domains associated with the adware. The following malicious domains were observed to be contacted via this User-Agent:

hxxp://getapplicationmy.info
hxxp://applicationgrabb.com
hxxp://appmegga.info
hxxp://downlloaddatamy.info

Other domains identified in our logs contacted by this User-Agent are not currently showing any malicious activity, but may deliver some malicious content in the future:

hxxp://appussajob.info
hxxp://dirgreatbestepicl.info
hxxp://embededstub.de.drive-files-b.com
hxxp://embededstub.download.dmccint.com
hxxp://fra-7m17-stor06.uploaded.net
hxxp://getdirfrfee.info
hxxp://getgoolld.info
hxxp://getinstaal.info
hxxp://getmeegan.info
hxxp://homebestmy.info
hxxp://setepicnew.info
hxxp://softservers.net
hxxp://superstoragemy.com
hxxp://xml.dljs.org

Use caution when installing any add-on program, especially one that is able to control a powerful communication tool such as Skype.

Thank you for reading

Was this post useful?

Yes, very!

Not really

Disclaimer: This blog post has been created by Zscaler for informational purposes only and is provided "as is" without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.