T9000 Trojan listens and records your Skype conversations

The T9000 Trojan is capable of listening and recording your Skype conversations, this Trojan was identified by the Palolto Networks security company. The Paloalto Networks company published a detailed report about the T9000 Trojan on their website.

They explain that the T9000 Trojan has capabilities which allow it to gather sensitive information:

In addition to the basic functionality all backdoors provide, T9000 allows the attacker to capture encrypted data, take screenshots of specific applications and specifically target Skype users.

They also noticed that the T9000 Trojan is capable of evading at least 24 security products:

The malware goes to great lengths to identify a total of 24 potential security products that may be running on a system and customizes its installation mechanism to specifically evade those that are installed. It uses a multi-stage installation process with specific checks at each point to identify if it is undergoing analysis by a security researcher.

The list of security products which it is able to detect and evade;

  1. Sophos
  2. INCAInternet
  3. DoctorWeb
  4. Baidu
  5. Comodo
  6. TrustPortAntivirus
  7. GData
  8. AVG
  9. BitDefender
  10. VirusChaser
  11. McAfee
  12. Panda
  13. Trend Micro
  14. Kingsoft
  15. Norton
  16. Micropoint
  17. Filseclab
  18. AhnLab
  19. JiangMin
  20. Tencent
  21. Avira
  22. Kaspersky
  23. Rising
  24. 360

The T9000 Trojan stores the audio of the Skype conversations in an encrypted file, once it has been unencrypted, the file will show that it is a .wav file which contains the audio of each Skype conversations. The videos of the Skype conversations are stored into pictures.


The command and control server of the Trojan can be found at:


PORT:    8080

Beware the C&C is still active.