Little Warning

Today Darren and I found out that http://skypegrab.info is offering their ‘Application’ to resolve skype usernames. Which once we took a closer look at, it contained a (what looked like) RAT. I know a fair bit of users from Habbo go to skypegrab, as a few booters actually used it, so I should just warn anyone who goes there. If you were dumb enough to download the application (like a few people I know), well then you’ve probably got yourself a RAT.

Two options for you:

1. Do a system restore

2. Clear all traces of the application

If you want to do it quick and just forget about it, go with 1, if you want it all removed, go with 2.

Upon disassembly of the application, I found that it uses NetPE. Looking further in, it drops an executable (MBNjIEUNp.exe at 4kb) along with a base executable (SKYPE.exe at 3.3mb) to your %appdata% folder. The first executable (MBNjIEUNp.exe) adds a key to your registry, so that SKYPE.exe starts up everytime your computer does. So anyway, to remove it do this:

1. Delete both MBNjIEUNp.exe and SKYPE.exe from %appdata% or %appdata%\Skype
2. Delete the “game” registry value inside the SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce registry key
3. It’s gone

Thanks to Darren for pointing this out.