Users of Skype that run 64-bit versions of Windows like me probably have noticed that when starting Skype, the following dialog box appears:
The program or feature “\??\C:\Documents and Settings\Myria\Local Settings\Temp\12\1.com” cannot start or run due to incompatibility with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.
Well, that’s weird. Skype’s trying to run a .com file, which won’t work on Win64 because there’s no NTVDM. Let’s try opening it in Hex Workshop. Access denied? OK, I’ll terminate Skype to read it. Still can’t?! This thing is really starting to annoy me. I’ll use WinDbg to terminate winlogon.exe to force a kernel panic. I reboot and NOW I can read the damn file.
An unreadable executable file coming from Skype sounds interesting, so I look at it. It’s 46 bytes long. For copyright reasons I can’t post the file or a complete disassembly. However, I can describe the program in terms of 16-bit DOS C:
int main(void)
{
fwrite((const void far*) 0xF0000000, 1, 0xFFFF, stdout);
fwrite((const void far*) 0xF000FFFF, 1, 1, stdout);
return 0;
}
It’s dumping your system BIOS, which usually includes your motherboard’s serial number, and pipes it to the Skype application. I have no idea what they’re using it for, or whether they send anything to their servers, but I bet whatever they’re doing is no good given their track record.
In 32-bit Windows NT, including Vista, the kernel permits NTVDM to make a read-only mapping of the BIOS at address 000F0000. This allows DOS programs running under NTVDM to make use of the BIOS. That’s how this 46-byte program is capable of sending the BIOS to the Skype application, and also explains why they use this mechanism to begin with.
If they hadn’t been ignorant of Win64’s lack of NTVDM, nobody would’ve noticed this happening.
But why they do this..? what purpose they wanted to solve by knowing ones serial number ?… is it a right way to deliver the services… it’s just a ridiculous thing…
I had feeling in my stomach this morning like I had swallowed big stone when I went to make a call to a friend via Skype. I had not authorized Skype to do this…I had no alert from Zone Alarm…All my private contacts from Microsoft Outlook were now on my Skype Contacts…Not at any time had I enabled or disabled the option for my Outlook Contacts to be put on the Skype Contacts…Did I miss something here when I read the EULA before I installed Skype 6 months ago? I have been compromised & I may have now become a victim of identity theft, since information I had stored in my contacts was information required for filing income tax…Skype had access to this, without my knowledge it appears. There is a lot more at stake her for me besides the fear of reading the serial number…THERE IS DEFINITELY A “SERIAL KILLER” LOOSE HERE!!! Since this morning I have uninstalled Skype…fired off an email to Skype stating I want my money back (prepaid for a year) & mentioned that if I have to pay to get this spyware off my computer…they are liable! This is how I ended up at this forum!!!
[...] Gira voce che un utente smaliziato, andando a curiosare il file colpevole per vedere quale poteva essere il suo contenuto, abbia scoperto una stringa di 46 byte di cui riportiamo uno stralcio di seguito: [...]
Thanks man, i agree
You (probably) now it….
Report of 09.02.2007 17:47
http://www.heise-security.co.uk/articles/82481/1
i thought so… nothing new.. just money over and over again.
i’m terrible boring with it!!
greetings!
When I execute my new “Anti Skype Bios Access” programm,
Skype will not start.
When I close it, Skype starts.
What do you think??
Hi…is this site dead? Not having a huge understanding of assembler (of any CPU) myself, I was finding the previous posts a very interesting read. Its also stunning just how bad the x86 instruction set is. But nothing new since February? What happened?
yup dead
[...] permalink Leute, ich kann euch fr diesen Thread gar nicht genug danken! Vor ein paar Wochen wurde in diesem Thread meine Aufmerksamkeit fr das Thema geweckt,hier sind noch einmal Fakten hinzugekommen. Jetzt sehe ich jedoch eine wahre Flut von Artikeln zum Thema Skype als Sicherheitsrisiko, was ich in diesem Ausma nicht gedacht htte. Wie kann es denn sein, dass niemand genau wei was skype im Computer macht – Myria hat die Arbeitweise von Skype schon teilweise aufgedeckt, und noch immer ist man sich im unklaren, welche Prozesse Skype en detail veranlasst? Kann jemand einen kurzen berblick dazu geben, was es mit Kazaa auf sich hat? Und: Welche Alternativen zu Skype gibt es? ich habe bisher nur http://www.openwengo.com/ endeckt. Ich berlege mir ernsthaft zu wechseln, da mir dieses Zeugs etwas zu suspekt ist Viele Gre, Deppi __________________ "Der Kopf ist rund damit das Denken die Richtung wechseln kann" [...]
oh my god so your saying that anyone using skype withing 1 year if that your bios will be carupt
[...] Skype has even been documented to access bios information and identify your individual computer (and here and here too). Hmm, there’s a name for this type of software … evens so, their website claims “No Spyware … Malware”. I’ll be trashing Skype for good. [...]
In my eyes the bios information and m’board serial no’s are analyzed in cooperation with the dept. of homeland security to minimze possible terror threats and gain information…
big bush is watching us.
I told you, I do remote viewing….
Yotwen: it takes one to know one… It depends what the maggots grow in….
[...] June 11, 2007 at 21:28 · Filed under полезности Далее идёт вольный перевод следующей нашумевшей статьи: [...]
[...] Skype is known to behave in a suspicious manner, for example collecting BIOS and motherboard information – information that a VoIP/chat program has no legitimate use for. Or imposing artificial limitations based on CPU vendor. [...]
You people don’t have a clue of what your talking about! SKYPE does NOT behave in a suspicious manner, it is not collecting BIOS and motherboard data, and the EBAY deal is not weird. Try being more open-minded, rational, and seek mental help. Read your SKYPE T.O.A… P2P is clearly spelled out and you opt-in for it. They DON’T work with American intelligence community as their loyalties may lay ELSEWHERE closer to home… They are in Tallin Estonia who do you think they would work with under the table IF they did… which they probably don’t as they are true capitalists!
You probably have a frickin’ VIRUS which is reading tour BIOS and Motherboard ID… Skype isn’t’ doing it. And who says Skype is totally FREE? Not any more! Also they want to move into Wi-Fi-based Skype cell phones through Radio Shack and Walmart. Keep up with the times why don’t you. Their computer scientists are probably the same Russians from Moscow’s MIT used by that Indian guy in Chicago USA who makes that RF PDA mpg player for kids called Cybiko.
They have to impose system limits some people don’t have the power or sys req to have so many sockets and stuff open… Some people have IBM POS’s ya’ know… Everyone knows IBM sucks. What’s wrong with INTEL?
I can only imagine what other pieces if information Skype is reading from our computers.
I have had a horrid experience in the last few days with Skype.
My Skype ID was hijacked by someone else and I have been reporting it to Skype repeatedly on an hourly basis.
There was about $40.00 in my Skype out account but what I am more worried about is that it is linked to my PayPal account.
No action has been taken by Skype except to say that someone with the email of antyposter@hotmail.com has now got my Skype ID.
My many pleas for something to be done about it after that one email from Skype have not been answered.
This is a desperate plea for help from the Internet community as Skype is not responding. What can I do?
This is used as a part of seed for the pseudo random number generator maybe?
As we know skype is heavily using cryptography and PRNG is a building block of it. I wonder why direct reading it this way then, if it was for that reason!
Wow, so Skype is with one leg in Spyware lake.
Great!
What come next?
[...] http://www.pagetable.com/?p=27 [...]
[...] Вот вам раз, вот вам два, вот вам три, вот вам четыре (при желании еще найдете). И не пытайтесь меня на скайп посадить, давайте GPG + Jabber over SSL, это открыто (как протокол) и закрыто для дешифровки и подглядываний. [...]
Great article thanks !
That’s topic is full of bullshits.
Fist ntvdm is a process for graphic DOS console application. Second, you cannot read any address out of your process. The void far* is in the data segement so 0xF0000000 is not the address of the BIOS. Address of the BIOS is 0xF000:0xF0000000 and you can access only by inline assebly. Next mistake is that you say you found 16 bytes COM file. The COM is compiled file and there is no way to take back the C++ code. You should post a assembly code and then it will look more real. Also that 4 lines if they had worked, they will not send BIOS to skype, but to the screen, showing the user what BIOS contains.
Anyway, you should learn programing before posting such fake topics. There is no way Skype or any other Windows application to get your BIOS. Application that can take BIOS and rewrite it can only be started instead of operation system when the computer starts.
[...] Skype Reads Your BIOS and Motherboard Serial Number – заметка в блоге, разоблачающая махинации, скрыто проделываемые Skype, читающим BIOS и серийный номер материнской платы: http://www.pagetable.com/?p=27. [...]
[...] Artículo en Slashdot Artículo en Pagetable [...]
Hi.
Good design, who make it?
ja volim imelllen skype
[...] a bit deeper into Skype, ie beyond the end of my nose, I see there is another cause for concern. Pagetable reveal that when you log on to Skype, they tap into your BIOS and motherboard serial number to [...]
[...] «Skype Reads Your BIOS and Motherboard Serial Number» – заметка в блоге, разоблачающая махинации, скрыто проделываемые Skype, читающим BIOS и серийный номер материнской платы: http://www.pagetable.com/?p=27. [...]
[...] Skype Reads Your BIOS and Motherboard Serial Number [...]
[...] ^ pagetable.com » Blog Archive » Skype Reads Your BIOS and Motherboard Serial Number [...]
I thought better about them
Interesting article but, its from February 2007. What’s the status today December !st 2008?
How do I get rid of it? Does it need getting rid of?
Can I safely use Skype for International business conference calls? Who is listening?
No wonder one becomes paranoid about downloading even stuff that should be safe. Bloody Hell!
The Baldchemist
[...] by Myria on pagetable.com titled, Skype Reads Your BIOS and Motherboard Serial Number. Read it here for yourself and make your own decisions. I will definitely be recommending an uninstall! [...]
[...] OSS i freeware Bart Ogryczak wrote: > Obcym i Palaczowi. Oni s wszedzie. Trust no one. http://www.pagetable.com/?p=27 Jak sdze do Skype’a siedziby wysyla, ale po co, tego nie jestem pewien, anyway, omijam jak moge. [...]
[...] klientas?Susidomėjusiems – Firefox profilo skaitymas nėra vienetinis atvejis. Skype aktyviai nuskaito BIOS nustatymus, kurie apskritai neturėtų turėti naudingos informacijos tokiai programai, kaip Skype. Skype [...]
@Masterkiller: It is possible to read the BIOS from Windows NT. No need to reboot or change the OS.
[...] http://www.pagetable.com/?p=27 [...]
[...] a small error in the 64-bit version of Skype revealed that it has been reading our Computer’s BIOS and Motherboard Serial Number. [...]
Is this for real? Is Skype really this deviant?
Yes, I am paranoid, but why the heck should Skype implement a readout of my hardware (BIOS) ID?
And why do they hide the little file containing the readout data from my eyes?
I already asked Skype about this… here what Kurt Sauer, the Chief Security Officer of Skype said:
“Since we learned that EasyBits DRM did not perform well on some newer platforms, we updated the version of their framework with one that no longer attempts to read from the BIOS. The recent versions of Skype for Windows, after 3.0.0.216, include this updated framework.”
So don’t worry more
Good luck
[...] — http://www.pagetable.com/?p=27 [...]
making people up…
proven method to how to stop a breakup…
[...] infatti, a quello che si legge su Pagetable, rimbalzato agli onori della cronaca perché pubblicato anche su Slashdot, Skype, in fase di login, [...]
This should not be ignored. I have been running sysinternals process monitor and watching skype.exe due to it taking up to 2 minutes to log in or create an account and opening hundreds of connections to other computers, even though i have group policies and registry keys disabling supernode. (as detailed in skype’s own network admin guide found here: http://www.skype.com/security/network-admin-guide-version2.2.pdf ) I have been doing this off and on over the past month. During this time, I found skype to be reading the hard disk volume id and creation date/time, the windows product id, unique identifying information about hardware installed on those computers, information from registry keys for Windows Product Activation (unique values that can’t be changed), and more. All of this takes place before I even log in, including the hundreds of open udp and tcpip connections. When I’ve tested logging in multiple accounts in a row, I’ve noticed that, on rare occasions, skype accesses the desktop.ini file and then reads directory contents of folders on my desktop. Less than a day after I first noticed this last part happening, one of my personal software programs (located in a folder on my desktop) checked in with my webserver from an unapproved ip I later found in the group of ip addresses skype had opened a connection to. It only checked in once, but it still happened…Proof that skype stole at least one file from my computer.
If I enter a wrong password or put in bogus info for the account creation process, causing it to fail, I’ve noticed it will look up certain machine-unique identifying information once again and then transmit more data. (obviously sending this info to skype) Other than that, it was randomly failing my valid logins and slowing my quad-core computer and dual quad-core servers down in ways I’ve only experienced with bad spyware, trojans, viruses or DOS attacks. If it wasn’t for these annoyances and the very noticeable lag I was experiencing, I probably would’ve never looked into it.
I find it much more likely that skype is spying and transferring files or sensitive information from users’ computers than the lies they’ve fed the participants in this thread. During my investigation of this matter, I found the thread I’m posting to as well as lots of threads regarding paying users having difficulty logging in and not getting answers for up to a week after following skype’s own instructions. I also discovered the following links which made me feel more obligated to post my findings.
http://www.pagetable.com/?p=27
http://forum.skype.com/index.php?showtopic=98518&st=160
http://freedom-blog.net/2009/03/14/ten-reasons-why-you-should-boycott-skype/
http://www.google.com/search?q=skype+spies+on+users
I’ve noticed that verclsid.exe will occasionally pop up in process monitor while running skype, even though it hasn’t shown up in the past two days of leaving process monitor on while skype was closed. This happened even after I renamed the system32/verclsid.exe file to verclsid.bak, indicating they may be creating a file disguised as a valid windows process to do something the skype executable can’t, or doesn’t want to be caught doing.
DON’T LET THEM SWEEP THIS UNDER THE RUG! DEMAND A REAL ANSWER OR AT LEAST TELL YOUR FRIENDS WHAT YOU’VE LEARNED HERE. BOYCOTT SKYPE!
as a final note, here are some example lines copied from process monitor, with identifying info replaced with X’s for obvious reasons.
[i]
12:43:00.9131187 PM Skype.exe 3676 QueryInformationVolume C:\ SUCCESS VolumeCreationTime: XX/XX/XXXX XX:XX:XX PM, VolumeSerialNumber: XXXX-XXXX, SupportsObjects: True, VolumeLabel:
5:23:45.2135337 AM Skype.exe 592 RegQueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName SUCCESS Type: REG_SZ, Length: 18, Data: XXXXXXX
5:23:43.2928407 AM Skype.exe 592 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProductId SUCCESS Type: REG_SZ, Length: 48, Data: XXXXX-XXX-XXXXXXX-XXXXX
5:23:43.2959626 AM Skype.exe 592 RegQueryValue HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\XX\DiskController\DiskPeripheral\Identifier SUCCESS Type: REG_SZ, Length: 40, Data: XXXXXXXX-XXXXXXXX-X
5:23:43.2609038 AM Skype.exe 592 RegSetValue HKCR\Skype.Detection\CLSID\(Default) SUCCESS Type: REG_SZ, Length: 78, Data: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
(these two identifying strings are the same)
5:23:43.2609946 AM Skype.exe 592 RegSetValue HKCR\CLSID\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\ProgID\(Default) SUCCESS Type: REG_SZ, Length: 32, Data: Skype.Detection
5:23:42.4085004 AM Skype.exe 592 RegQueryValue HKLM\SYSTEM\WPA\PnP\seed SUCCESS Type: REG_DWORD, Length: 4, Data: XXXXXXXXXX
[/i]
[...] [...]
Fascinating!
I was drawn to this site because my IP blocker, “PeerBlock” goes totally nuts when skype is switched on.
Mainly blocking universities, all over the world.
I am lucky as I find and use this site to know my bios serial. But some problem was happened.