The evil Microsoft did it to skype!

Saturday, June 11, 2011

I wrote up this document in order to document what happened to skype soon after microsoft bought it.. Skype installed EasybitsGo.exe on your computer with out your permission. The easybitsgo.exe runned as a process even though you click deny in skype when it asked you if you allow it to run.

When people who either updated skype or downloaded the latest version realized what had just happened and tried to remove EasybitsGo.exe soon realized that this was no easy task. One such was proved to be a dead end as Easybits provided a way to get rid of it was to install RemoveGo: http://www.easybitsmedia.com/support/RemoveGO.exe. However, that was a fake uninstall !!! Easybitsgo.exe would still run on your computer. People who simply tried to uninstall it reported that the server was still running in memory. The only way to get rid of it for sure is to go under tools-options-advanced and uncheck "automatically stop extras" also click on the "manage other connections to skype" link on the bottom and remove Easybitsgames. That was the easy and simple way but the more complete way was much more lenghty:

-Disable and remove 3rd party access to the easybitgo.exe file in Skype via Options > Advanced > Advanced Settings > Manage other programs’ access to SkypeRemove the Easybits Go program via the Install/Uninstall panel under your system’s control panel-Exit Skype and make sure the Skype.exe is not running in the list of running processes (via Task Manager). Also temporarily disable Skype from starting automatically when Windows starts.-Then restart your computer since the program will still be is use by the system.-Once restarted, go to [Drive Letter]:\ProgramData or [Drive Letter]:\Documents and Settings\All Users\Application Data and permanently delete theEasybits GO folder.-Remove whatever shortcuts it may have placed in the start menu and desktop.-If you are confident enough to dig around in your registry, go toHKEY_CURRENT_USER\Software and delete the entire EasyBits folder -Go to the Windows\Prefetch directory and look for the file EASYBITSGO.EXE-364DAFD6.pfand delete it. Also do a search for ezPMUtils.dll and delete them all.-If you are on Windows 7, delete the go folder in this directory - Users > [YOUR USERNAME] >AppData > Roaming

This malware seems to have hitchhiked in on a "trusted" program: Skype. So that means inside Skype, there's a trojan downloader. It bypassed all the windows authenticity checks, alerts, certificate of authenticity verification and user permissions. That the trojan downloader inside Skype bypasses all these Microsoft Windows security features seems intentional. Just because we found one trojan downloader installed by Skype, doesn't mean we found all the exploits. This downloader facilitated Easybits to make vast changes to the registry. Apparently, Skype also didn't test this software before pushing it over their service. Or they didn't care. http://threatexpert.com/report.aspx?md5=f6a970c3351815ac9d932a792f23be45 shows lots of file modifications and registry entries. Skype is a broadband conduit to the web and has hooks to facilitate program calls to this conduit. Any program installed under Skype has the potential to compromise all the data on the machine and all shared data on the LAN. Additionally, this trojan downloader inside Skype might be exploited by other hackers.

The more customer installations EasybitGo can claim, the higher the value of the company. With the impending purchase of Skype by Microsoft, Easybit would potentially be dropped, perhaps to be replaced by a Microsoft games product. They seem to have struggled to push out this untested malware (over a holiday weekend) to establish themselves as in important integral Skype feature. In a last ditch effort to become part of the new Microsoft VOIP and messenger product that evolves from the Skype purchase, they forced this installation on users even though only 30% of Skype customers ever use the Skype game features. That means they overstate their customer base by a factor of three. I think this abuse and unwanted publicity may assure they won't become part of the new Microsoft product.

Not a wonder that game sessions have jumped to over 7 million sessions. If you run Skype in the background when you don't use it you are probably generating loads of game sessions.

P.S. Now that microsoft is the owner you can expect more of this. I guess when they bought skype they thought they also bought the users!

2 comments:

Anonymous said...

You have to remove Easybits GO V1.0 from

\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\

manually to get rid of Easybits in the Internet Explorer HTTP Signature.

lyecdevf said...

I never much used skype at all but now I really am going to make a point about never using it again. For one I want to avoid any thing that has been touched my microsoft and the other I do not want to get another shock like I did the last time when I read about this.