Quick Way to Remove the Skype Worm

Martin Brinkmann
Sep 12, 2007
Updated • Dec 16, 2012
Security
|
5

If you do not know yet there is a Skype worm spreading around that is affecting Skype Windows clients. The virus automatically sends a chat message to other Skype users containing a link to an image on a website where users are prompted to download a file with the .scr extension using a simple redirection. SCR files are screensaver files usually but also often used by malware to infect systems and bypass security software that is mainly looking out for .exe files.

If a user runs the downloaded .scr file on the computer it will become infected with the w32/Ramex.A virus which uses Skype’s public API to access the infected pc.If you are lucky, your resident antivirus software may block the execution of the file, if not, you may need to follow the guide below to uninstall it from your system.Many antivirus companies like Symantec, Kaspersky and F-Secure have already updated their virus definitions to detect and remove the worm.

It is however also possible to remove the worm manually by following the steps outlined below:

  1. Restart the PC in safe mode
  2. Run regedit by using the Windows-R shortcut to open a run dialog box, typing regedit, and hitting the enter key.
  3. Go to HKLM/software/microsoft/windows/currentversion/runonce find entry with mshtmldat32.exe. Delete this entry.
  4. Go to Windows\System32 directory and delete the following files there: wndrivs32.exe, mshtmldat32.exe, winlgcvers.exe, sdrivew32.exe. Use the search if you can't find the files immediately or do not want to browse the large list of files manually.
  5. Go to windows/system32/drivers/etc
  6. Find the hosts file there.
  7. Open it with notepad, ctrl+a and delete all entries (this will resume your antivirus updates), save, close. If you have used the hosts file previously make sure you keep legit entries in there and only delete the entries that block your antivirus software from updating.
  8. Restart the PC.

via Skype blog

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Nemus said on October 10, 2012 at 8:14 am
    Reply

    hey there

    thanks for taking your time to provide us with this article.. i found it easily on a search and thus attempted it.. Thanks for a phenomenal waste of my time… None of the filenames you mentioned to search for existed in safe mode or otherwise. Not wndrivs32.exe, mshtmldat32.exe, winlgcvers.exe, sdrivew32.exe or mshtmldat32.exe

  2. Martin said on September 12, 2007 at 11:12 pm
    Reply

    Did you try starting in safe mode ? If yes, I would start the command line mode only and delete all the files mentioned above.

    You could also try system restore.

  3. Alan Pollock said on September 12, 2007 at 10:56 pm
    Reply

    I have a computer running Windows XP Home with SP 2. This computer has been infected with the Skype Worm, Ramex, and we cannot logon any more. Each time you try and logon it simply goes back to “Saving your settings” and returns you to the logon screen.

    Can anyone help with any advice on how to get around this. I cannot access Regedit, nor can I edit the hosts file from the Repair utility.

    I am really desperate, please help.

    Alan

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.