Looks like virus writers are at it again. Some Skype users have been contacted over chat by people warning against viruses and offering to send the user a file that masquerades as Spyware Doctor, a popular anti-malware program from PC Tools. Needless to say, the file they’re attempting to send (SpyWareDoctorSetup.exe) is not the real thing. Instead, it’s a piece of malware, affecting Windows users. Do not accept or run this executable file.
From what we understand, this malware likely belongs to the same family with previous password stealers. The behavior is exactly the same, only this time it disguises itself as Spyware Doctor. The setup process of the genuine Spyware Doctor is completely different.
When executed, the fake version displays the “Welcome” screen and promptly shuts down Skype. When the unsuspecting user presses the “Next” button, the program briefly displays a fake installation screen (in reality, no installation takes place) and then immediately displays the “Skype login” screen.
When the user enters his username and password, an error message is displayed — regardless of whether the password was correct or not. In the background, however, the entered login details are sent to a malicious web server. In addition, the program reads Internet Explorer’s saved forms and passwords stored in Windows protected storage and sends them along as well. It does not read stored information in any other web browser.
Clicking on the “Close X” button or the standard close window button in the upper right corner of window does not close the program. You can only terminate the program from the Windows Task Manager.
The malware is a password stealer and does not interact with Skype in any way. It does not leave a resident in memory, modify any Windows DLLs, inject threads into existing services, or try to survive reboot (there is no modification of the Registry or existing registered services). And the program does not attempt to distribute itself in any way. In fact, it seems to be spread by real people using Skype chat, as there is no evidence that the process is automated.
So, if you’ve unwittingly fallen victim to this password stealer, here’s how to disinfect your machine manually:
- Double click on the Windows taskbar to open Task Manager
- Select the Processes tab
- Find SpyWareDoctorSetup.exe from the list
- Click on End Process button
Delete SpyWareDoctorSetup.exe from the file system (use Search For Files and Folders to find the location in case you don’t remember where you saved it).