BKDR_METEO.HVN

This malware uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed. Specifically, it disguises as a Skype Encryption to lure users into downloading and executing the itself.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

As of this writing, the said sites are inaccessible.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This backdoor connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}8/SkypeEncription/Download/skype.exe

It saves the files it downloads using the following names:

• %User Temp%\skype.exe - detected as BKDR_ZAPCHAST.HVN

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

As of this writing, the said sites are inaccessible.

NOTES:
It displays the following window to trick the user that this is a tool used to encrypt user's Skype data:

There is no evidence that this software actually provides any security properties.