McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• MailSkinner.dll

• Skintrim.gen

• Win32.Skintrim.E (CA)

Characteristics

This detection is for a remote access trojan written in Visual C++.

Installation

Upon execution, the trojan installs itself into the

%ProgramFiles%\MailSkinner\

directory as

MailSkinner.exe, OESkinner.dll, and OLSkinner.dll

and installs in the

%windows%\system32\

the following files

msegcompid.dll, msclock32.jpg and axsetup.dll

The following Registry key(s) is/are added to hook system startup:

• HKEY_CURRENT_USER\Software\epk_extr
• HKEY_CURRENT_USER\Software\exts
• HKEY_CURRENT_USER\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}
• HKEY_CURRENT_USER\Software\MailSkinner
• HKEY_CURRENT_USER\Software\Microsoft\Installer
• HKEY_CURRENT_USER\Software\Microsoft\Installer\Features
• HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\
  96FF640DA68D6C24EAF73B276C0844D6
• HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\
  589C136F0E6FCEA4FAC5EFBABA79F5A0
• HKEY_CLASSES_ROOT\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}
• HKEY_CLASSES_ROOT\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}
• HKEY_CLASSES_ROOT\OutlookAddin.Addin
• HKEY_CLASSES_ROOT\OutlookAddin.Addin.1
• HKEY_CLASSES_ROOT\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\
  OutlookAddin.Addin
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
  UpgradeCodes\589C136F0E6FCEA4FAC5EFBABA79F5A0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Uninstall\{D046FF69-D86A-42C6-AE7F-B372C680446D}

In addition, after installing itself, the trojan will try to contact

 http://www.security-udpater.com

to check if there is any new version.

Symptoms

Once running on the victim machine, OESkinner.dll will be hooked to all running processes, and axsetup.dll will be hooked to iexplore.exe.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• MailSkinner.dll

• Skintrim.gen

• Win32.Skintrim.E (CA)

Characteristics

Characteristics -

This detection is for a remote access trojan written in Visual C++.

Installation

Upon execution, the trojan installs itself into the

%ProgramFiles%\MailSkinner\

directory as

MailSkinner.exe, OESkinner.dll, and OLSkinner.dll

and installs in the

%windows%\system32\

the following files

msegcompid.dll, msclock32.jpg and axsetup.dll

The following Registry key(s) is/are added to hook system startup:

• HKEY_CURRENT_USER\Software\epk_extr
• HKEY_CURRENT_USER\Software\exts
• HKEY_CURRENT_USER\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}
• HKEY_CURRENT_USER\Software\MailSkinner
• HKEY_CURRENT_USER\Software\Microsoft\Installer
• HKEY_CURRENT_USER\Software\Microsoft\Installer\Features
• HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\
  96FF640DA68D6C24EAF73B276C0844D6
• HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\
  589C136F0E6FCEA4FAC5EFBABA79F5A0
• HKEY_CLASSES_ROOT\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}
• HKEY_CLASSES_ROOT\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}
• HKEY_CLASSES_ROOT\OutlookAddin.Addin
• HKEY_CLASSES_ROOT\OutlookAddin.Addin.1
• HKEY_CLASSES_ROOT\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\
  OutlookAddin.Addin
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
  UpgradeCodes\589C136F0E6FCEA4FAC5EFBABA79F5A0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Uninstall\{D046FF69-D86A-42C6-AE7F-B372C680446D}

In addition, after installing itself, the trojan will try to contact

 http://www.security-udpater.com

to check if there is any new version.

Symptoms

Symptoms -

Once running on the victim machine, OESkinner.dll will be hooked to all running processes, and axsetup.dll will be hooked to iexplore.exe.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A