New malware attacks Skype on Windows: the T9000

A new sophisticated malware which can take recordings and screenshots of Skype activity, avoiding detection by security software, has been discovered by Palo Alto Networks.


T9000 represents a new variant of the T5000 malware family: it works to identify a total of 24 potential security products running on a system and then alters its installation procedure in order to avoid the relevant cyber defences.

The primary functionality of this malware is to collect information about the targeted victim which is does by compromising Skype video calling software.

After the malware has hooked into Skype, it records video calls, audio calls, and chat messages, then it stores them in a directory specially created by the trojan called Intel, which the attackers can access remotely.

A system gets infected with T9000 when the user inadvertently opens an RTF file compromised with exploits for both CVE-2012-1856 (Vulnerability in Windows Common Controls in MSCOMCTL.OCX) and CVE-2015-1641 (Microsoft Office Memory Corruption Vulnerability) vulnerabilities.

When this module is downloaded and executed, the user will receive the message explorer.exe wants to use Skype, like this screenshot:

Skype T9000

Any system that does not have Microsoft updates MS12-060 and MS15-033 is impacted.

More technical info on

Published: February 11 2016