Password stealer
By
Villu Arak on December 6, 2007 in Impersonation.
Looks like virus writers are at it again. Some Skype users have been contacted over chat by people warning against viruses and offering to send the user a file that masquerades as Spyware Doctor, a popular anti-malware program from PC Tools. Needless to say, the file they're attempting to send (SpyWareDoctorSetup.exe) is not the real thing. Instead, it's a piece of malware, affecting Windows users. Do not accept or run this executable file.
From what we understand, this malware likely belongs to the same family with previous password stealers. The behavior is exactly the same, only this time it disguises itself as Spyware Doctor. The setup process of the genuine Spyware Doctor is completely different.
When executed, the fake version displays the "Welcome" screen and promptly shuts down Skype. When the unsuspecting user presses the "Next" button, the program briefly displays a fake installation screen (in reality, no installation takes place) and then immediately displays the "Skype login" screen.
When the user enters his username and password, an error message is displayed -- regardless of whether the password was correct or not. In the background, however, the entered login details are sent to a malicious web server. In addition, the program reads Internet Explorer's saved forms and passwords stored in Windows protected storage and sends them along as well. It does not read stored information in any other web browser.
Clicking on the "Close X" button or the standard close window button in the upper right corner of window does not close the program. You can only terminate the program from the Windows Task Manager.
The malware is a password stealer and does not interact with Skype in any way. It does not leave a resident in memory, modify any Windows DLLs, inject threads into existing services, or try to survive reboot (there is no modification of the Registry or existing registered services). And the program does not attempt to distribute itself in any way. In fact, it seems to be spread by real people using Skype chat, as there is no evidence that the process is automated.
So, if you've unwittingly fallen victim to this password stealer, here's how to disinfect your machine manually:
- Double click on the Windows taskbar to open Task Manager
- Select the Processes tab
- Find SpyWareDoctorSetup.exe from the list
- Click on End Process button
Delete SpyWareDoctorSetup.exe from the file system (use Search For Files and Folders to find the location in case you don't remember where you saved it).
Comments
amigos tengo un grave inconveniente con el skype, mi contraseña fue robada mediante algun troyano a partir de ese mometo no pude aceder mas a mi cuenta principal de skype y cuando trato de reestablecer mi contraseña me da un mensaje de que mi usuario y mi e-mail no coinciden, el mayor problema es que en esa cuenta de skype tengo cientos y cientos de usuarios que me han aceptado como usurio y a quienes les puedo enviar archivos, ver el estadio de conexion etc , de esto se ha valido el hacker para enviar a todos mis contactos mas copias de el virus , asi como clips de video pornograficos , se agradeceria alguna idea de como ponerle un alto a esta situacion ya que una vez infectado un usuario este envia automaticamente a todos sus contactos copias de el virus
camarada.maklao | Tuesday, Nov 25
Mi nombre de usuario es marjogut. Los consulte sobre la forma de recuperarlo, ya que lo perdí al desconfigurarse mi disco rígido. Recibe el mail de vuestro servicio de atención al cliente y, siguiendo las instrucciones, obtuve el código de seguridad y lo envie a la dirección indicada, pero cuando quiero iniciar la sesión, se me abre la ventana de otro usuario que cree (mario jose gutierrez2) y no logro iniciarla como marjogut. Cómo cambio de un usuario al otro??????
marjogut | Monday, Jan 5
i send a request about the same situatuation with my former password. i can't loging and i did send a request to the skype office . up to this point i haven't get any answer, i'm very dissapointed with this customer support from skype. strongly considering to cancel this system. my skype name is loanperez since more than a year and i have many contacts under this name. hope it can be retrieved . this virus damage my password and my id. i have to used this friend's id to be able to send this comment and hope this people do somenthing about it. my id is loanperez
kind regards.
mr.perez.
loanperez@yahoo.com
admin@globalgeneralbusinessservicesllc.com / www.ggbsllc.com
patria.nunez | Thursday, Feb 12
I have also the same problem.
What bothers me most is that it looks like Skype support people do not know what do do. Though, they have at least 5 requests from me, all my details including e-mail and telephone number. It could be very simple for them to contact me (I can call if they do not want to pay for the telephone) run a security check, close the old account, transfer the skypein telephone No. and credit to my new login.
They better do something; I will probably fill a complaint for password theft against X, against Skype and again Paypal also and make it very, very public if this is not solved. There is a time when there is a need to address the problems seriously and not hide behind a computer web site.
If not, one day or the other, this will be so serious they will go out of business.
So please do something!
mbenvlg74 | Tuesday, Feb 17
Hola, sólo preguntar una cosa: ¿ cómo puedo iniciar Skype utilizando mi contrseña? Nunca me la pide y me gustaría poder hacerlo. Muchas gracias.
jose.miguel.ballesteros | Thursday, Mar 19
I SEND A REQUEST AFEW DAYS AGO AND STILL I HAVEN'T GET A REPLY FROM THE SKYPE'S ADMINISTRATION . I DO NEED TO GET THIS FIX AS IT IS THE SECOND TIME IT HAPPEND TO ME WITH THIS VIRUS . THAT MAKE YOU LOSE YOUR PASSWORD. MY FORMAL SKYPE NAME IS LOANPEREZ I NEED A RESPONSE AS SOON AS YOU CAN PLEASE . I WORK WITH THIS SKYPE .
THANK YOU IN ADVANCE.
MR.PEREZ
WWW.GGBSLLC.COM
ggbsllc | Sunday, Mar 29
tengo un dia tratando de abrir mi cuenta, ya puse mas credito , ya descarge muchas veces el Skipe y sigo sin tener la cuenta, es muy desesperante esta situacion me urge hacer unas llamadas de negocios
julioabravo | Tuesday, Apr 21
tengo un dia tratando de abrir mi cuenta, ya puse mas credito , ya descarge muchas veces el Skipe y sigo sin tener la cuenta, es muy desesperante esta situacion me urge hacer unas llamadas de negocios
julioabravo | Tuesday, Apr 21
tengo un dia tratando de abrir mi cuenta, ya puse mas credito , ya descarge muchas veces el Skipe y sigo sin tener la cuenta, es muy desesperante esta situacion me urge hacer unas llamadas de negocios
julioabravo | Tuesday, Apr 21
no puedo entrar a mi cuenta ya q se desconfiguro mi computador solo recuerdo mi nombre de usuario y no mi clave pero no me manda la correcta a mi correo cuando la pido tengo credito en llamadas y no puedo uasar mi cuenta q puedo hacer
hernan.marcelo.gutierrez | Wednesday, Sep 9
Mi cuenta de Skype ha sido robada, yo tengo un nombre de usuario charly_virga y cuando entro mi clave fue cambiada, al pedir que skype me la reenvie a mi correo de mail, aparentemente me la envia a otro correo, al suministrado por el hacker, mi cuenta sigue estando activa en sus manos con 348 contactos de negocios a los cuales como me ha sido y me es dificil recuperarlos a todos, el hacker los utiliza para enviarles virus. Skype no se comunica conmigo a pesar de los innumerables pedidos, ellos si pueden recuperar mi cuenta. o al menos darla de baja, con lo que daria finalmente por perdido todos mis contactos, un trabajo de años.... voy a darle otra cuenta de correo para que se comuniquen conmigo por si hubiera alguna solucion, Desde ya muchas gracias.
esta es otra cuenta de correo. sahydav@gmail.com
charly_virga1 | Wednesday, Oct 7