McAfee > Theat Center > Virus Detail Page

Overview

This detection is for a family of trojans which download and execute arbitary files.

Characteristics

Upon execution, the trojan installs itself into the

%ProgramFiles%\MailSkinner\

directory as

MailSkinner.exe, OESkinner.dll, and OLSkinner.dll

and installs in the

%windows%\system32\

the following files

msegcompid.dll, msclock32.jpg and axsetup.dll

The following Registry key(s) is/are added to hook system startup:

• HKEY_CURRENT_USER\Software\epk_extr
• HKEY_CURRENT_USER\Software\mc
• HKEY_CURRENT_USER\Software\exts
• HKEY_CURRENT_USER\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}
• HKEY_CURRENT_USER\Software\MailSkinner
• HKEY_CURRENT_USER\Software\Microsoft\Installer
• HKEY_CURRENT_USER\Software\Microsoft\Installer\Features
• HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\
  96FF640DA68D6C24EAF73B276C0844D6
• HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\
  589C136F0E6FCEA4FAC5EFBABA79F5A0
• HKEY_CLASSES_ROOT\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}
• HKEY_CLASSES_ROOT\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}
• HKEY_CLASSES_ROOT\OutlookAddin.Addin
• HKEY_CLASSES_ROOT\OutlookAddin.Addin.1
• HKEY_CLASSES_ROOT\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\
  OutlookAddin.Addin
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
  UpgradeCodes\589C136F0E6FCEA4FAC5EFBABA79F5A0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Uninstall\{D046FF69-D86A-42C6-AE7F-B372C680446D}

In addition, after installing itself, the trojan will try to contact

 http://www.security-udpater.com

to check if there is any new version.

Symptoms

Once running on the victim machine, OESkinner.dll will be hooked to all running processes, and axsetup.dll will be hooked to iexplore.exe.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This detection is for a family of trojans which download and execute arbitary files.

Characteristics

Characteristics -

Upon execution, the trojan installs itself into the

%ProgramFiles%\MailSkinner\

directory as

MailSkinner.exe, OESkinner.dll, and OLSkinner.dll

and installs in the

%windows%\system32\

the following files

msegcompid.dll, msclock32.jpg and axsetup.dll

The following Registry key(s) is/are added to hook system startup:

• HKEY_CURRENT_USER\Software\epk_extr
• HKEY_CURRENT_USER\Software\mc
• HKEY_CURRENT_USER\Software\exts
• HKEY_CURRENT_USER\Software\exts\{8E09CB72-3143-4414-A1C2-63E9C0438472}
• HKEY_CURRENT_USER\Software\MailSkinner
• HKEY_CURRENT_USER\Software\Microsoft\Installer
• HKEY_CURRENT_USER\Software\Microsoft\Installer\Features
• HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\
  96FF640DA68D6C24EAF73B276C0844D6
• HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\
  589C136F0E6FCEA4FAC5EFBABA79F5A0
• HKEY_CLASSES_ROOT\CLSID\{180B4EE9-1795-4429-9651-F17A6515726D}
• HKEY_CLASSES_ROOT\Interface\{0A089E22-5736-4092-B3F8-3F0D5F345482}
• HKEY_CLASSES_ROOT\OutlookAddin.Addin
• HKEY_CLASSES_ROOT\OutlookAddin.Addin.1
• HKEY_CLASSES_ROOT\TypeLib\{5BAD7FAE-81F0-4439-8C1A-3E8907998047}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\
  OutlookAddin.Addin
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\
  UpgradeCodes\589C136F0E6FCEA4FAC5EFBABA79F5A0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Uninstall\{D046FF69-D86A-42C6-AE7F-B372C680446D}

In addition, after installing itself, the trojan will try to contact

 http://www.security-udpater.com

to check if there is any new version.

Symptoms

Symptoms -

Once running on the victim machine, OESkinner.dll will be hooked to all running processes, and axsetup.dll will be hooked to iexplore.exe.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A