[AI] skype virus

firoz firojjee at gmail.com
Sat Sep 15 02:33:34 EDT 2007

Skype has learned that a computer virus called "W32/Ramex.A" is affecting 
users of Skype for Windows. Users whose computers are infected with this 
will send a chat message to other Skype users asking them to click on a web 
link that can infect the computer of the person who receives the message.

Please note that Skype users ONLY become infected after they have downloaded 
the link and run the malicious software. The chat message, of which there 
several versions, is cleverly written and may appear to be a legitimate chat 
message, which may fool some users into clicking on the link.

Skype has been in contact with the leading antivirus software companies 
about this worm and currently FSecure,
lab ,
 and Spyware Terminator have already updated their antivirus products to 
detect and remove the worm.

Here's a more detailed look at the situation for those who understand 
techier talk:

list of 1 items
. When a Skype user receives the chat message - either from their Skype 
contacts or users not on their contact list - it includes an internet link. 
of a .jpg image that it seems to point to, the link actually leads to a 
virus file. By clicking on the link, the Windows Run/Save dialog box will 
pop up,
asking for permission to save or run a .scr file. This is the virus file and 
should not be downloaded or run.
list end

If the user accepts the file, however, their Windows PC will be infected 
with the "w32/Ramex.A"  virus. The worm uses Skype's public Application 
Interface (API) to access the PC.

There are two ways to get rid of the worm: the normal way and the techhead 
way. Most users should NOT attempt to edit their computer's registry 
For most people, downloading and/or updating their anti-virus software, and 
scanning their computer to detect and remove the worm, is the way to go.

Expert users & only expert users who know what they're doing can also remove 
the worm manually. OR Download new version of Symantac or Kaspersky lab or
Spyware terminator or FSecure

list of 8 items
1. Restart the PC in safe mode
2. Run regedit
3. Go to HKLM/software/ microsoft/ windows/currentv ersion/runonce find 
entry with mshtmldat32. exe. Delete this entry.
4. Go to Windows\System32 directory and delete following files: 
wndrivs32.exe, mshtmldat32. exe, winlgcvers.exe, sdrivew32.exe
5. Go to windows/system32/ drivers/etc
6. Find file hosts
7. Open it with notepad, ctrl+a and delete all entries (this will resume 
your antivirus updates), save, close.
8. Restart the PC.
list end

More information about the AccessIndia mailing list