Skype Reads Your BIOS and Motherboard Serial Number

Users of Skype that run 64-bit versions of Windows like me probably have noticed that when starting Skype, the following dialog box appears:

The program or feature “??C:Documents and SettingsMyriaLocal SettingsTemp121.com” cannot start or run due to incompatibility with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.

Well, that’s weird. Skype’s trying to run a .com file, which won’t work on Win64 because there’s no NTVDM. Let’s try opening it in Hex Workshop. Access denied? OK, I’ll terminate Skype to read it. Still can’t?! This thing is really starting to annoy me. I’ll use WinDbg to terminate winlogon.exe to force a kernel panic. I reboot and NOW I can read the damn file.

An unreadable executable file coming from Skype sounds interesting, so I look at it. It’s 46 bytes long. For copyright reasons I can’t post the file or a complete disassembly. However, I can describe the program in terms of 16-bit DOS C:

int main(void)
{
fwrite((const void far*) 0xF0000000, 1, 0xFFFF, stdout);
fwrite((const void far*) 0xF000FFFF, 1, 1, stdout);
return 0;
}

It’s dumping your system BIOS, which usually includes your motherboard’s serial number, and pipes it to the Skype application. I have no idea what they’re using it for, or whether they send anything to their servers, but I bet whatever they’re doing is no good given their track record.

In 32-bit Windows NT, including Vista, the kernel permits NTVDM to make a read-only mapping of the BIOS at address 000F0000. This allows DOS programs running under NTVDM to make use of the BIOS. That’s how this 46-byte program is capable of sending the BIOS to the Skype application, and also explains why they use this mechanism to begin with.

If they hadn’t been ignorant of Win64’s lack of NTVDM, nobody would’ve noticed this happening.

274 thoughts on “Skype Reads Your BIOS and Motherboard Serial Number”

  1. Some details:

    – The longest opcode they ever use is 2 bytes long. This means the code has sequences like “xor dx, dx mov dh, 0xF0 mov ds, dx” instead of the shorter “mov dx, 0xF000 mov ds, dx” or “push 0xF000 pop ds”. (The latter requires 386 but they know you’re on a 386…)

    – The code returns the DOS error code if the “int 0x21” calls fail, which would’ve been inconvenient to show in the C version above.

    – I think it’s unlikely that they would use your serial number directly. I also think they would just apply a hash.

    Reply
  2. I wonder if they are hashing it and using at as some sort of unique ID? But then why read the BIOS and not have the server generate you an ID when you log in? It seems an odd thing to want to know about your users. Also what did you mean by “given their past record”? I have never used Skype so I am not familiar with any unethical things they may have done in the past.

    Reply
  3. IIRC, Skype was limiting the number of concurrent connections on the AMD architecture citing technical limitations. Subsequent hacks of the software proved this was a bogus claim.

    Reply
  4. “given their past record”

    They can use your pc as a super-node to route traffic from other users. You have to search well on their site to find that out. I found out because skype was eating up my upload allowance while not even using it. It had 40 connections streaming in and out, using several % of my monthly bandwidth _a_day_. They should ‘ve asked permission or allow a limit to be set. Good for me my firewall notified me.

    Reply
  5. re: super-node comment

    What part of p2p did you not understand? It’s made pretty clear how the system operates.

    Reply
  6. Pingback: bragoszewski.com
  7. Pingback: bragoszewski.com
  8. re: can one block .com file?
    Sure. Insert some crap at the start of the com file using a text editor.

    Reply
  9. Has anyone done any research on the Linux version? I’d figure it can’t do such things when run as an ordinary user, and nobody’s running Skype as root anyway (er well, except for some Linspire lusers…)

    Reply
  10. Linux version is far behind windowz. Actually that is something that drives me crazy about skype. All my friends are using webcams already and I wont switch to Windows just because Skype with webcam is not supported in Linux… And asking all of them to switch to alternative communicator (wengo, ekiga(?)) is out of question…

    btw: are there any nice alternatives to skype (nice=nice+open 😉 )??

    Reply
  11. re: super-node comment

    I understand p2p perfectly well. I don’t get it why distribution is uneven. Once I became a supernode, skype was eating up most of my bandwidth. I’d be happy to give them some %, not most of it, thank you.

    re: webcam support under linux

    One can only hope gizmo catches up fast 😉

    Reply
  12. Don’t you see? They are working with MS to combat software piracy by making sure to collect all of your personal data from Windows while Skype is running. =P

    Reply
  13. i’ve Windows and Skype and i’ve not found this .com file … are you sure that is Skype which control your data and not an other program which control your Skype messages and pc properties? I’ve looked for into all Documents and Settings folders and subfolders and i’ve not found it.

    Reply
  14. Cynthia:

    are you on 64 architecture? skype might be putting that file there, executing it and after reading output of execution the file is being removed. This might be just a split of a second… Note that you get an error only on 64 arch.

    Reply
  15. Pingback: blog.code.ae
  16. I started skype.exe with Sysinternals filemon.exe running.
    There is no 1.com file generated or executed by Skype on my machine.
    Are you sure your skype.exe image has not been compromised by a virus?
    Perhaps you should try to confirm your finding after reinstalling Skype?

    And what is this nonsense about “their track record”?
    Did you pull that comment out of your ass?

    Reply
  17. If you install the “Business” version you will not have this problem. It’s the same program just using a different installer that doesn’t install this.

    Reply
  18. Perhaps their track record of taking bribes from Intel to intentionally cripple their software on AMD machines claiming that only Intel’s pathetic Pentium D architecture was capable of 10 audio streams or whatever it was? They’re hardly a particularly trustworthy company if they’re willing to be used as lying shills for a few bucks.

    I’d say the BIOS dump is related to CPU identification, even though there are lots of less sinister ways of doing it.

    Reply
  19. I knew skype was evil 😉
    That’s why I want all of you to use wengo phone 😀 It’s free, open and has gaim support(msn, yahoo, google talk…) So you can leave those closed wierd things to the windows *sensored by sender*… 🙂

    Reply
  20. Just look for ‘vanilla skype’ and you’ll get ideas about what got into previous versions of skype.

    Reply
  21. Reagarding supernode:
    Unchecking the use ports 80 and 443 will disable supernode mode 🙂

    I would much rather prefer an option for bandwidth and connection limiting, the current supernode mode is out of control. After some days, it eat eats 30% CPU, and makes windows falter under the load, and sometimes cause the entire application to crash.

    Reply
  22. This is bad news, really. Skype also has a new feature for Intel Processors only, so AMD users get discriminated. Jajah.com may be a good alternative, although it is hard to tell which company is NOT sniffing in your computer.

    Reply
  23. Well, first off I agree that this is bad news all around. I can comment discreetly on the purpose of this BIOS scan however, but I cannot tell you for whom I write code (Please fill in the blank yourself). This is using your BIOS for a combination UID labeling for usage tracking and was apparently initially designed as a wrap label for IP to UID usage metering and technically load balancing your connections to 1 per username per IP. Not one of the brightest things to do IMHO just to keep people from using multiple instances on a network with the same username/account since they now offer unlimited calling, and incoming phone numbers.

    (Ever notice if you start multiple instances on a network you can all be signed on under the same username? It’s like a bad scene out of the lawnmower man when 10 computers all start ringing at the exact same time when an incoming call is received.)

    Reply
  24. I opened Skype.exe in OllyDbg and could not find references to the file you mentioned. Is there something I missed? I used Skype 3.0.0.198. I also used Filemon (from Sysinternals) to see if the file was being opened. Is this file executed on a first time start only and then cached for later usage?

    Reply
  25. I can’t find any trace of the file mentioned or even a trace of Skype using *.com files.
    If the file came from a skype setup, one could check what the actual installer includes. Or try to disassemble the installer file to see if there are any references to a *.com file.

    So far I can’t find any traces of it, so are you sure that the file mentioned, actually came from skype?

    Reply
  26. I’m still wondering “So what?”

    Is there a way (you need not describe it) to commit identity theft or compromise the security of my computer by using my motherboard’s serial number? It seems to me that this information guarantees identification of the computer from which a call is being placed, even if one does not have a static IP address (which most users do not).

    Reply
  27. Datalocust: If it’s purpose is UID monitoring/enforcement then why isn’t it working? I know exactly what you’re referring to regarding multiple sign-ins and so I can tell you first hand that it’s not working as per the latter is still working (multiple logins)

    Why would anyone possibly try and stop or filter unique logins using a measure that is a direct privacy concern? It’s bad press (ie. it’s been slash.dotted)

    And most importantly I’m w/ fuzzy, cause I can’t find any trace of a com, or any threads from skype.exe that are calling on an executable.

    Reply
  28. There is another perspective here, and that is the one that involves solving the technical problems associated with using your computer as a phone. Security concerns aside (and they are valid), it is a very difficult thing to use your computer as a phone. I am working on a project doing this very thing, and we are working on solving echos, delays and other audio headachs. To solve these problems, you have to know what the environment is at very deep levels. It is not like just playing music, it is very complex, and I can understand why Skype wants to look at the bios so they can get a complete look at the environment they are running in.

    Reply
  29. Hey Johnsmith,
    I know exactly what you mean. That’s what I was trying to say, but I think in my haste complicated the meaning. I don’t know why they would still being doing the BIOS scan, if since the new version, they even are, since some reliable people aren’t able to find the files. The UID Mon/Enforce is what they were designing it specifically to accomplish. I know it’s not working so it could only be something shady. Sorry man didn’t mean to confuse anyone like that.

    DaveNF2G: There are ways of accomplishing EXACTLY that. That is why this issue drew the attention of so many so quickly.

    Reply
  30. Mike: That’s a perfect example of the complications in designing the dual layer application for IP Telephony. Not only is the playback of the callers voice complicated in it’s own right, you have to have the ability to allow the input of voice, modulation for anti-static, background echoes. etc.. But then you have to deal with the compression, packet UID for IP QoS and then the reverse on the other end.

    However there are MANY other more reputable ways of dealing with this issue of individual computer hardware requirements. The best way to do this is much of the same as Online-Gaming developers do this. In the installer for the program there is a hardware scan done that creates a file with the specific requirements of that computer. Scaning the BIOS on every startup is concerning since this scan is only valid on Win32 systems. Then on top of that only those with Intel based boards. If the BIOS was scanned for serial number for an operational basis then users of anything other than the Win32/Intel user community would experience usage issues.

    I’m not implying that I know everything, I’m just stating that unless it was designed for an implict user base I’m unclear how it would work.

    Reply
  31. There is clearly another use for serial number ID, regardless of session signon and traffic balancing.

    Consider the desires of certain large government agencies that want to intercept and analyze call traffic between parties…

    Reply
  32. > Has anyone done any research on the Linux version?
    > I’d figure it can’t do such things when run as an ordinary
    > user, and nobody’s running Skype as root anyway (er
    > well, except for some Linspire lusers…)

    I don’t use Skype. If it requires a kernel loadable module, they have access. Additionally check the permissions on /dev/[k]mem

    I hate it when companies do this kind of sh1t.

    Reply
  33. One reason to uniquely identify the PC:
    One can login simultaneously on few machines with the same Skype id. Comming to think about it, maybe it can be done on the same machine and different user (OS user)

    Reply
  34. I can confirm this. On my Vista x64 system, when opening Skype I always get an error message that 1.com can’t be run, because it’s 16 bit software.

    Reply
  35. ups,

    I wont mind about microsoft this time as some are replying here. I guess its about, please take me serious, possible secret service activity.

    all around the world they want the ID-gap in the net to be closed. FBI/CIA/NSA/Military are part of any commitee that votes for comunication protocols (GSM/IP/etc)

    They have both an enormous interest of logging communication over internet, and a huge problem to get that job done (i.e. CARNIVORE – FBI logging your private email)

    They try to tell microsoft NOT to encrypt the VoIP-Chats for XBOX LIVE, of course, for legal reasons other companies offering communication tools are set to leave backdoors in their software… for whatever happens at anytime to resolve a user-id.

    this is what happens…

    skype is of course in the focus of these institutions… for serveral reasons.

    thanks for listening : )
    dfromg

    Reply
  36. Okay. Some points:

    – I have no idea what the BIOS reading is for. I got annoyed when I read about some of the other things Skype does, like the AMD feature lockout and the heavy obfuscation revealed by some hackers at the European Black Hat. That is the source of the “given their track record” remark.
    – 1.com may have disappeared from the latest versions; I installed Skype a few months ago.
    – You won’t find a reference to “1.com” in the Skype program because it’s heavily obfuscated. I don’t know what part of Skype makes it and runs it.
    – You won’t have this happen unless you’re running Win64, because otherwise the program executes in a split second.
    – People on Slashdot have said that the “business” version doesn’t do this, but I have no idea. I only know what I saw Skype do on my own system whenever I started it.
    – Others have seen this 1.com error; see each of the 3 blue words “probably have noticed” at the beginning of my original post.

    Reply
  37. On my system win2k on vmware, skype creates the directory “11” in “…temp”. So I start that loop (see below) before starting skype. Waiting… Skype GUI takes a little bit longer… Enter Password……………………….WelcomeScreen and a copy of “1.com”

    —– file blabla.bat in “…temp” ——
    @echo off
    :1
    copy 111.com 1.bak
    if exist 1.bak goto 2
    goto 1
    :2

    Reply
  38. dfromg: I DO take you seriously!!

    Especially the CIA part. That’s not taken from some third-class movie, but since I remember the alarming thing that some hacker has found inside MS Word documents, which give a lot of intendedly private information to the public just by sending around the DOC files. Fortunately GPL applications like OpenOffice or kword (KDE/*nix) also do support DOC, so there is no requirement to use genuine Word.

    Reply
  39. What version of skype does this?
    Does it do it on every start?
    I set my HIPS to log all app’s executed by skype but it dont loaded anythink excepted the plug in manager.

    David X.

    Reply
  40. Why does anyone think about it as source for unique IDs? There are enough ways to get unique IDs for single PCs out of win32. When I need to (re) identify a single computer in win32 I write a md5(ramdom()*time()) value in HK_LM, that’s easier, more compatible and better preserves user’s privacy. Thank god no non-root app is able to access my vital parts on GNU/Linux 😉

    And Mike: Reading the BIOS leads nowhere when making voice apps. Skype runs on OSX, and there is firmware.Skype runs on GNU/Linux. There is no userland-access to bios as well (when well configured, of course 😉 ) … TS doesn’t need it, and it’s quality and bandwith usage is, from my point of view, much better than Skype…

    I don’t see any good reason for such an app to read the bios.

    Have Fun!
    Martin

    Reply
  41. Another reason to fear Skype “given their track record”: the guys behind Skype are also the guys behind Kazaa. Google for +kazaa +trojan.

    Reply
  42. The matching of mainboard IDs to IP addresses would allow tracing movement of laptop owners. This is a big concern for me as an example as I’m travelling all over Europe with my company’s laptop. I use it from within hotels, airports, restaurants, companies, universities and at home and at friend’s houses. This would allow organisations to derive movement profiles of laptop owners. In combination with all the other information available about individuals and their friends it should be possible to create quite a precise picture of a user, if the information is being logged over time: geographical address (IP address), duration and date/time of session, profile of the geographical distribution of friends, profile details of your friends – data mining makes it possible …

    I think the degree of detail which can be achieved depends on the amount of profile details and your buddy list. On the other hand, Skype could just as well collect further information from your hard drive.

    Reply
  43. PSIplus, I agree with you up to a certain degree. However, using BIOS IDs as an identifier would allow an increased persistence of the ID. Windows systems and registries can be re-installed.

    Reply
  44. Hello,

    I´m using Skype and Last.Fm Windows client and skype tries
    to use Last.Fm and i don´t know why.

    Reply
  45. Was sagen die Netzwerksniffer zu den Aktivitäten von Skype im Ruhezustand?

    Wer hat Protokolle?

    What does wireshark protocoll about Skype activities? Anybody knows?

    Reply
  46. I get the error “… trying to run 16bit app…” everytime I boot windows Vista 64bit. Anyone knows how to stop this. Is Skype doing anything to fix it.

    Reply
  47. I am not catching on.. This blog seems to be childish at best. I actually enjoyed reading the post except that not even the author understands the situation. I for one am for user security and privacy so this blog attracts my attention but when the writer fails to understand if there is an issue at all it seems useless to re-post anywhere on the web to alert users.

    I hope that the author contacts skype or tells the population if skype is doing something bad, otherwise you would be an accomplice yourself no ? Circulate a more detailed version if you can anonymously please. Thanks

    Reply
  48. I guess that the motherboard ID is a valuable help to securely identify a single system regardless of different os-installs (like BartPE-installations, or OSes installed on several partitions, or sandboxes, maybe even VMs) using several (means: different) logins.

    Why would you want to do something like that? Well, see it as some kind of IMEI-number for VOIP-phones: It’s ideal for finding “suspects” of any kind that tend to change their os-installs and their logins and their IPs like on a daily basis at least (maybe even on a by-call basis)… With this feature they can do so and they can “feel save”, while Skype (or who ever stands behind them) can easily track (and of course decypher) every single ‘word’ they transmit nonetheless… Cewl. :O)

    Reply
  49. PSIplus: So your vital parts run Linux? And no non-root apps can access them? Given your usage of the verb “root” I presume you’re Australian.

    Reply
  50. Very interesting issue, but somehow I don’t really understand why the skype coders would generate a com file at runtime. Why is this little extraction of BIOS information not hardcoded in the main program? This would be less conspicuous, wouldn’t it?

    @Myria: When you want to find out what a program does (in this example 1.com), how do you start? I know the basics of assembler, but I don’t know any special adresses like the BIOS register, and I don’t know how to seperate commands and adresses from a hex dump. I don’t need a complete step-by-step description, just a suggestion, a link or a recommendation to know where to start 🙂
    thanks in advance

    Reply
  51. I am still seeing that message everytime i start windows 64-bit, i had installed skype about 2 days before christmas eve on my new pc.
    after having that annoying bug i went to the skype-homepage support forums and where looking far that issue, which was already reported by other users. some forum moderator told that the issue is known and will be fixed, so at least they must be already aware of that problem. i suggest you skype-support forums and look if in the meantime they published something more about it 🙂 i do not use skype often, so i did not care about that problem anymore, after disabling skype to start after windows startup. used it only twice since then ^^

    Reply
  52. kevin – the BIOS image is not available from Win32; however, NTVDM provides the image in a “DOS box”. Therefore, a separate DOS program (1.com) is required to read the information. That’s the easiest way, anyway, and is certainly not as malicious as using rootkit techniques to gain Ring0 access to directly access the BIOS. Only Sony would try something like _that_ 😉

    Reply
  53. Its times like this, that reaffirms my faith in Open Source Software. To all who sneer – You can keep your conveniences and I shall keep my system, thank you very much.

    Reply
  54. You do not *need * to use a COM file to read the BIOS, under Windows NT x86.
    You can map the entire Physical Memory into userland address space using the NTOpenSection function on DevicePhysicalMemory (assuming that you have admin priveleges). This is well known and documented.
    Reading the BIOS (or even the entire RAM, including of other programs, and the system), is then trivially easy.

    Reply
  55. Kevin: This actually is probably the only way to read the BIOS without being administrator and using entirely documented Windows functionality. You can use NtVdmControl to map the BIOS into a user process like NTVDM does, but that is not a documented system call.

    I think this also demonstrates that companies generally don’t care about Win64 at all, and don’t bother testing their programs on it. They can use IsWow64Process or GetNativeSystemInfo to detect that they’re not on a Win32 machine.

    Reply
  56. Skype 3.0.0.198

    Because the file 1.com exist only for a very short time, I use the following steps to catch it.

    1. I deleted all files in “..temp” – only 2 dirs left (“.” and “..”)

    2. I run that script in “..temp”

    ————–
    @echo off
    :1
    dir >> list.txt
    goto 1
    ————–

    While running, start Skype and login. When logged in, terminate the script by ctrl+c. Close Skype (not only logoff – quit complete!)

    3. Search in list.txt for “3 directories…” – remember the first two dirs are “.” and “..”, the third is the one created by skype.

    4. Edit the script and use the name you found.

    ————
    @echo off
    :1
    copy DIRNAME1.com 1.bak
    if exist 1.bak goto 2
    goto 1
    :2
    ————-

    5. Run that script and then start Skype and login. The script terminates when 1.bak (the copy) exist.

    1.bak is a copy of DIRNAME1.com

    Reply
  57. For all those people out there that say they don’t see the 1.com file….

    I seem to recall the problem with the 1.com file crashing on Skype startup when I first went to v3.0. After some questions I was advised to not use the standard installer but instead the msi (‘enterprise’) installer. This actually (in my case) installs 3.0.32.198, not 3.0.0.198, and does not install the 1.com file.

    Possibly they’ve updated all installers (since I last installed) to manage this 1.com file better.

    Phil

    Reply
  58. Uhoh,
    “my unfailable filemon.exe didn´t show me a 1.com, so you must be lying”. LOL.

    “I don´t know what you are talking about (track record), so it must be out of your ass”. ROFL.

    Unbelievable.

    Cheers to Myria.

    Reply
  59. Pingback: Pensieri Sparsi
  60. GUYS PLEASE…

    (referring to some posts far above)

    I think it makes no sense attacking Myria by reproaching her of wanting some mere publicity.

    SOME SKILLED GUY SHOULD TAKE THE 1.com AND DISASSEMBLE IT HIMSELF.

    I’d like to have a *second person* who can *prove* that it’s really the BIOS which is read out.
    We are humans. And humans make mistakes.

    Reply
  61. I run Skype 2.5.0.151 on windows x64 and get no such error message, and no 1.com file ever exists in my temp directory through a whole skype startup, chat, sign off…

    Reply
  62. Pingback: libertatis.org
  63. coyote: Okay, you’re right… While cpuid-fetures can be disabled, using a supposed security hole to fetch these informations is quite a fine way 😉

    cogote: Close, I’m an Austrian 🙂 … I got win32 only as xen and that only for win32 developement stuff…

    andy (de): I disassembled it as well, and she is absolutely right. There is not much magic about it, it just does what it does, reading memory and dumping it to stdout. You don’t have to be a pro to check this, and from your statement “SOME SKILLED GUY SHOULD TAKE THE 1.com AND DISASSEMBLE IT HIMSELF” I guess you are just another sexist. I’ve seen this behaviour of win32-Skype in Linux as well when using wine, there you can make a much more detailed plot of the situation, while skype makes some expectations of the platform it runs on and that obviously doesn’t include windows x64 nor wine…

    Reply
  64. Hi Myria,

    can you please name the version number of skype you use? Additionally, was anybody able to detect creation of a file 1.com using filemon? I wasn’t, so far, so is there an easy way to reproduce this behaviour on non-Win64 systems?

    Thx

    Reply
  65. I am using skype very much for calling around the world. I am very happy that myria posted her knowledge about the 1.com file!

    Well beside of some technical reasons I think the knowledge of unusual hardware information make some sence for identifying people:

    1. They know with how many different skype accounts you are using your computer (it is easy to check whether you use the same windows username).
    2. They are able to construct the social network you have with differnt accounts.
    3. They know which files you are sending with the skype and to whom.
    4. They know where you are using the computer (IP adress, or which internet cafe).

    There are three different types of people who are interested in these information:

    a) Government (FBI, CIA, NSA, BND … and all the others)
    b) Advertisement industry (yes sometimes you need to go on the webpage of skype, a little cookie provide many information 😉
    c) Music and film industries (you could exchange some files where those people like to get some money for)

    Think about it.

    Sure, I am paranoid, but am I paranoid enough?
    (author unknown)

    Reply
  66. I traced the thing a bit, and I was unable to reproduce it… It only appears on my x64 windows… I used a safe method to monitor file operations (wine + inotify-tools), and no trace… No signature or anything in Skype.exe… 3.0.0.198 as well as 3.0.0.216, and 2.5 of course… No sign of the filename either, but that doesn’t mean a thing, while strings can be hidden easily within a binary…

    On the other hand, on xp pro x64 i just changed my temp-part to smbfs with inotify, and I easily obtain the file … So I guess it is just some bad error-handling 🙂 … It doesn’t seep to apper with Skype 2.5, and even on x64 it is hard to monitor when using an unmodified system…

    Reply
  67. German:
    Das sind schlechte Nachrichten!
    Welche Telefoniesoftware gibt es bei der der Quellcode vorliegt?

    English:
    Very bad news. 🙁
    I am searching for alternatives (open source) for Skype.
    Please reply with link.

    Reply
  68. Pingback: meneame.net
  69. Thank you for finding this weird thing…
    Lastly now the people around me should believe me when I say: Beware of proprietaries!

    Reply
  70. I can also confirm the existence of 1.com since skype 3. I’ve noticed it by coincidence even on my x86 machine. I run Skype in a guest account. After installing Skype 3 it started to complain that it is not capable of setting proper access rights on a file called “1.com” in my Temp directory.

    Up to my findings it is not Skype itself creating that file, it could be something in the “Extras” stored in the “Plugin Manager” Folder, which gets installed together with Skype. … Since, for me this “Extras” stuff is completely useless, I’ve deleted the “Plugin Manager” folder … Skype still works fine, and it stopped to complain about “1.com” …

    Reply
  71. I also run skype on Windows XP x64 edition and get no such message, I’d say you’re infected by something else.

    Reply
  72. Hello blog posting,

    Well, we have a vivid profile of human society right here. Sigh…

    Thanks for the post, Myria… I’m a long time Skype user – on a P4 IBM and a Celeron 333 IBM. This breaks the camel’s back – no more skype for me, at least in Windows (any platform).

    Thanks to some happy days with Turbo C++ 3, Visual C++ 6 and MSDN, I can appreciate this situation.

    Keep it up, and good luck.

    (PS: Jabber+GnuPG anyone? 😉

    Reply
  73. May this little serial be used to exactly determine the computer (also it hacks in over an open wireless lan or else) used – perhaps big brother is interested in terrorists planing attacks via skype? – since u can spoof nearly everything, this way might have been hidden to those people… – but if i was a terrorist i only would use some opensource encrypted shit like this good old pgphone-stuff. – mh, just thinking of skype might be installed in any internet-cafe – what so ever – i’m just paranoid

    Reply
  74. Hi all!

    I was trying to reproduce your finding and simply couldnt. Maybe it also depends on the Language of Skype you are using, I have the German. When using Skype with Win XP x64, I never got this error message. Now that I use 32 Bit again (support for 64-Bit is to weak) I tried different things to find out if this 1.com is generated. I used Filemon and also this Batch-Script. I really dont get why I cant find this File. I used several Skype-Versions. This is quite curious.

    Reply
  75. I just installed “spy catcher” on my machine and the first time I ran spy catcher it told me that it had stopped Skype from recording my keystrokes! Why is Skype recording my keystrokes? This was a little concerning, and I was sure to install spy catcher on all my machines after that.

    Does anyone know why Skype would be recording my Keystrokes???

    Reply
  76. Quite long thread – phew!

    I am using skype for a long periode, now. Since I installed it first I agreed with people that saying it is potential harmfull. My experiences had been, that with every new version the net traffic increased more and more. The user has had no chance to throttle something down to the needed things – f.i. just to tell the network every minute or so that the client is still alive.

    With version 3.0 there seems to be a desktop sharing system implemented, now. This feature is very much disliked by me, as it seems skype now can take over the complete target system. Compared to other remote management tools as VNC etc. it is closed source. I must not say more to this.

    So switching over to another solution will be necessary, soon. Other conservative thinking people on the net mentioned http://www.wengophone.com – also free but OS and under GPL. Or that software developed by Phil Zimmerman zfone http://zfoneproject.com/ … we will see.

    I am curious what Skype will do, if they see their currently more than 9 x 10^ 6 online users drastically decreasing.

    Reply
  77. @Jared: Do you know the history feature of Skype? It probably records your keystrokes for saving them in the history.

    Reply
  78. Hi People,
    i suggest everybody to read this http://www.secdev.org/conf/skype_BHEU06.handout.pdf
    document about the internals of skype. Having read this, probably everybody will uninstall skype from his computer… It is not a secret since 2006 that skype is not secure at all!

    However thanks to myria this issue comes back in focus now. On my way home I even heard about it on radio fritz (in Berlin).

    @myria: I would be happy to get your mail address… I am also interested in further technical research 🙂

    Regards,
    Bodz

    Reply
  79. @PSIPlus:

    “and from your statement “SOME SKILLED GUY SHOULD TAKE THE 1.com AND DISASSEMBLE IT HIMSELF” I guess you are just another sexist.”

    Sexist? No, the capitals were just because I wanted to emphasize the important parts without enclosing everything in asterisks …
    Moreover, you seem to have interpreted *much too much* into this…
    The “skilled guy” did NOT mean that I think of Myria as a noob…but I want a “skilled guy” with the same (or more) assembly experience instead of some random rookie … got it?

    See, I better believe things said if TWO people have proved it. That’s my personal right to first have my doubts, then when more confirmations occur … fine.
    You DID disassemble it and check for yourself, which is good! I clearly claim to not have the skills to distinguish right from wrong, so I leave that to the assembly cracks 🙂

    Reply
  80. Exactly… I made some research, and I found out that 1.com is a fallback, when user isn’t logged in with Admin-Rights! wine “fakes” admin-loggedin, so no report on 1.com there (but it gets a fake bios – hehe) … When running on win32, wich supports reading from BIOS (as Admin-User) no sign of 1.com. But whenever it isn’t possible to read it, it falls back to 1.com… While some low-level functions doesn’t work as expected on x64, it tries the same fallback usually used on x86 to get through as restricted user – but it fails, because of the missing DOS VM! It seems to be that easy after all…

    So, in short:
    – Be restricted user, or
    – Run on non-x86-32bit-platform

    To make Skype falling back to 1.com! It’s that easy.

    I’ll try to monitor this behaviour with wine soon by making some nasty modifications, wich hopefully avoid the fake bios read and make it create 1.com, maybe I’ll find out more about what happens to the created bytestream…

    Have Fun!

    Reply
  81. Why isn’t anybody talking about solutions?

    Maybe you could create an empty read-only file named “1.com” and place it here:
    C:Documents and Settings[name]Local SettingsTemp121.com
    Then Skype would be unable to create the file. (Does Skype always use “12”?

    -Or if your file system is formated NTSF and you don’t use any 16-bit applications you could disable execute permission for ntvdm.exe. I saw this as a suggestion for stopping certain trojans. (I have FAT32, so CACLS won’t change the execute permission, ATTRIB can’t do that… I tried renaming ntvdm.exe, but windows prompty recreated it. I don’t know what system process did that, or if it can be disabled.)

    Reply
  82. Carl, that is a nice idea, but for as long as you work as admin-permitted user (e.g. standard XP) it is meaningless, because 1.com is a fallback… To solve this, you have to try what I’ll try soon: patching skype.exe to bypass the original bios-check as well.

    Reply
  83. The final “solution” will be that Skype guys fix this.

    But this fix does make me goosebumps, nonetheless, folks …

    Since that means that people’s bios will STILL be monitored…and probably that 1.com will just be hidden in a better way so that it is not found anymore.

    “Once bitten, twice shy.” [TM]

    Reply
  84. Pingback: VOIP IP Telephony
  85. Myria! It’s Naomi! Saw you on digg. LONG time no speak. knew it was you right away. Email me!


    (Naomi in Israel)

    Reply
  86. Dumping all of f000 seems a bit weird. If they want identifying data, they could use the SMBIOS specification to get things like a serial number and manufacturer if the OEM decided to include that information (not all boards have a serial number). This also seems like a bad idea since the SMBIOS data is editable with the proper tools. There are a few other tables in f000 that might be useful for looking at some hardware info but it still isn’t good as identifing information (ACPI, PCI data, PNP data).Other than that, f000 is BIOS code which is rather worthless unless you have the sorce to that code.

    Reply
  87. Hello Vonage….dumb commercials… but not peering into my computer mind
    Whats next – the guy that made the DOOMSDAY WORM will now create a Internet Password Wallet application

    Reply
  88. Hmm, PSIplus’s comment about 1.com being a fallback is interesting. In NT 5.2 SP1, DevicePhysicalMemory was locked out from user mode regardless of privilege. Maybe Skype tries DevicePhysicalMemory first, which will fail as non-admin, on WINE, and on XP 64 (because it’s NT 5.2 SP1).

    In other words, because Skype can get even more invasive access on XP 32 SP2, it won’t bother with 1.com. This is only a theory.

    One way to test the theory would be to see if 1.com is created if you run Skype from an unprivileged user under XP SP2. If PSIplus is right, 1.com would then be used.

    Disclaimer: I have not tried any of this.

    Reply
  89. Splynn: That can’t be done without being Administrator, and possibly would require a kernel driver under XP 64. PSIplus’s theory seems the most plausible explanation, that 1.com is a last resort. It’s quite possible that Skype does what you say – though I have no idea how to check.

    I’m not as good of a reverse engineer as those who presented about Skype at Black Hat Europe 2006.

    Reply
  90. maybe they are just trying to figure out what mother board you use and if you complained about “cannot use microphone”. They might just know, what is going on.

    Reply
  91. Pingback: chrisser.eu
  92. for me, this just adds another part to the puzzle… so, the skypers meanwhile admitted the thing was contributed by easybits.com in norway, a firm renowned for – let me call it family-protection software – secure browsers for your children, parents can control every bit the youngsters may see on their pc… it’s all about total control.
    peeking in the vanillaskype documents: that seemingly reveals
    the whole skype thing is a mere fortified spearhead of – for most of pc-users in the world – uncontrollable software they willingly plant on their machines…

    to shorten my comment: i just wonder for whom ilya kruglenko worked / still does ? / worked before easybits – to quote on of the posters far above: fill in yourself…

    Reply
  93. Pingback: just a blog...
  94. Mike: i’ve got some background in signal processing, particularly in sound processing, and AFAIK You don’t need mobo id and so on. You can use pure matlab and do whatever you want with sound, have vgood effects, and still, you need to know nothing about computer parts used, to do that, and it’s valid both for offline and online data.

    And YES – Skype is evil in my eyes, and it’s not because only of this, there are many more privacy concerns.

    Reply
  95. Pingback: BigBlueBall Forums
  96. Is it possible to directly address via skype to a UID? or to inject a security service listener device, i.e. switch on your microphone?

    Reply
  97. Pingback: DyBlog
  98. Why is it too much to expect product manager types to act with respect for individuals and customers? It seems that every time we turn around some product or another has some unexpected *feature* built into it. And then when it’s discovered, shrug their shoulders as if nothing is wrong at all.

    Crack dealers behave better than this!

    Ah yes, the answer of course is Business 2.0. What happens when you populate management with the new business school types who learned nothing other than how to chug beer, cheat their way through exams and ultimately lie on their resumes.

    Reply
  99. Hello,
    Skype is getting our system’s information for our use.
    Then, when we view the site, it knows what operating system we use (for the downloads page), since they have, priorly, assigned it to our IP. It’s a minor tool, just for easier management of Skype.

    The above are not facts. The above is strictly my opinion.

    Shaffer.

    Reply
  100. SKYPE USES MY COMPUTER!!! **GRR**HMM**BLA**

    Don’t panic!
    What about NOT using Skype?
    Think that will solve all problems.
    But you have to use your phone instead. Tjo.

    BTW: My Motherboard Serial is: UY2H 60100033.

    OH MY GOD, POLICE IS BANGING AT MY DOOR!!!!

    See ya… maybe.

    Reply
  101. But why they do this..? what purpose they wanted to solve by knowing ones serial number ?… is it a right way to deliver the services… it’s just a ridiculous thing…

    Reply
  102. I had feeling in my stomach this morning like I had swallowed big stone when I went to make a call to a friend via Skype. I had not authorized Skype to do this…I had no alert from Zone Alarm…All my private contacts from Microsoft Outlook were now on my Skype Contacts…Not at any time had I enabled or disabled the option for my Outlook Contacts to be put on the Skype Contacts…Did I miss something here when I read the EULA before I installed Skype 6 months ago? I have been compromised & I may have now become a victim of identity theft, since information I had stored in my contacts was information required for filing income tax…Skype had access to this, without my knowledge it appears. There is a lot more at stake her for me besides the fear of reading the serial number…THERE IS DEFINITELY A “SERIAL KILLER” LOOSE HERE!!! Since this morning I have uninstalled Skype…fired off an email to Skype stating I want my money back (prepaid for a year) & mentioned that if I have to pay to get this spyware off my computer…they are liable! This is how I ended up at this forum!!!

    Reply
  103. When I execute my new “Anti Skype Bios Access” programm,
    Skype will not start.
    When I close it, Skype starts.
    What do you think??

    Reply
  104. Hi…is this site dead? Not having a huge understanding of assembler (of any CPU) myself, I was finding the previous posts a very interesting read. Its also stunning just how bad the x86 instruction set is. But nothing new since February? What happened?

    Reply
  105. oh my god so your saying that anyone using skype withing 1 year if that your bios will be carupt

    Reply
  106. In my eyes the bios information and m’board serial no’s are analyzed in cooperation with the dept. of homeland security to minimze possible terror threats and gain information…
    big bush is watching us.

    Reply
  107. You people don’t have a clue of what your talking about! SKYPE does NOT behave in a suspicious manner, it is not collecting BIOS and motherboard data, and the EBAY deal is not weird. Try being more open-minded, rational, and seek mental help. Read your SKYPE T.O.A… P2P is clearly spelled out and you opt-in for it. They DON’T work with American intelligence community as their loyalties may lay ELSEWHERE closer to home… They are in Tallin Estonia who do you think they would work with under the table IF they did… which they probably don’t as they are true capitalists!

    You probably have a frickin’ VIRUS which is reading tour BIOS and Motherboard ID… Skype isn’t’ doing it. And who says Skype is totally FREE? Not any more! Also they want to move into Wi-Fi-based Skype cell phones through Radio Shack and Walmart. Keep up with the times why don’t you. Their computer scientists are probably the same Russians from Moscow’s MIT used by that Indian guy in Chicago USA who makes that RF PDA mpg player for kids called Cybiko.

    They have to impose system limits some people don’t have the power or sys req to have so many sockets and stuff open… Some people have IBM POS’s ya’ know… Everyone knows IBM sucks. What’s wrong with INTEL?

    Reply
  108. I have had a horrid experience in the last few days with Skype.

    My Skype ID was hijacked by someone else and I have been reporting it to Skype repeatedly on an hourly basis.

    There was about $40.00 in my Skype out account but what I am more worried about is that it is linked to my PayPal account.

    No action has been taken by Skype except to say that someone with the email of antyposter@hotmail.com has now got my Skype ID.

    My many pleas for something to be done about it after that one email from Skype have not been answered.

    This is a desperate plea for help from the Internet community as Skype is not responding. What can I do?

    Reply
  109. This is used as a part of seed for the pseudo random number generator maybe?
    As we know skype is heavily using cryptography and PRNG is a building block of it. I wonder why direct reading it this way then, if it was for that reason!

    Reply
  110. That’s topic is full of bullshits.
    Fist ntvdm is a process for graphic DOS console application. Second, you cannot read any address out of your process. The void far* is in the data segement so 0xF0000000 is not the address of the BIOS. Address of the BIOS is 0xF000:0xF0000000 and you can access only by inline assebly. Next mistake is that you say you found 16 bytes COM file. The COM is compiled file and there is no way to take back the C++ code. You should post a assembly code and then it will look more real. Also that 4 lines if they had worked, they will not send BIOS to skype, but to the screen, showing the user what BIOS contains.
    Anyway, you should learn programing before posting such fake topics. There is no way Skype or any other Windows application to get your BIOS. Application that can take BIOS and rewrite it can only be started instead of operation system when the computer starts.

    Reply
  111. Interesting article but, its from February 2007. What’s the status today December !st 2008?
    How do I get rid of it? Does it need getting rid of?
    Can I safely use Skype for International business conference calls? Who is listening?
    No wonder one becomes paranoid about downloading even stuff that should be safe. Bloody Hell!
    The Baldchemist

    Reply
  112. @Masterkiller: It is possible to read the BIOS from Windows NT. No need to reboot or change the OS.

    Reply
  113. Yes, I am paranoid, but why the heck should Skype implement a readout of my hardware (BIOS) ID?

    And why do they hide the little file containing the readout data from my eyes?

    I already asked Skype about this… here what Kurt Sauer, the Chief Security Officer of Skype said:

    “Since we learned that EasyBits DRM did not perform well on some newer platforms, we updated the version of their framework with one that no longer attempts to read from the BIOS. The recent versions of Skype for Windows, after 3.0.0.216, include this updated framework.”

    So don’t worry more
    Good luck

    Reply
  114. Pingback: making people up
  115. This should not be ignored. I have been running sysinternals process monitor and watching skype.exe due to it taking up to 2 minutes to log in or create an account and opening hundreds of connections to other computers, even though i have group policies and registry keys disabling supernode. (as detailed in skype’s own network admin guide found here: http://www.skype.com/security/network-admin-guide-version2.2.pdf ) I have been doing this off and on over the past month. During this time, I found skype to be reading the hard disk volume id and creation date/time, the windows product id, unique identifying information about hardware installed on those computers, information from registry keys for Windows Product Activation (unique values that can’t be changed), and more. All of this takes place before I even log in, including the hundreds of open udp and tcpip connections. When I’ve tested logging in multiple accounts in a row, I’ve noticed that, on rare occasions, skype accesses the desktop.ini file and then reads directory contents of folders on my desktop. Less than a day after I first noticed this last part happening, one of my personal software programs (located in a folder on my desktop) checked in with my webserver from an unapproved ip I later found in the group of ip addresses skype had opened a connection to. It only checked in once, but it still happened…Proof that skype stole at least one file from my computer.

    If I enter a wrong password or put in bogus info for the account creation process, causing it to fail, I’ve noticed it will look up certain machine-unique identifying information once again and then transmit more data. (obviously sending this info to skype) Other than that, it was randomly failing my valid logins and slowing my quad-core computer and dual quad-core servers down in ways I’ve only experienced with bad spyware, trojans, viruses or DOS attacks. If it wasn’t for these annoyances and the very noticeable lag I was experiencing, I probably would’ve never looked into it.

    I find it much more likely that skype is spying and transferring files or sensitive information from users’ computers than the lies they’ve fed the participants in this thread. During my investigation of this matter, I found the thread I’m posting to as well as lots of threads regarding paying users having difficulty logging in and not getting answers for up to a week after following skype’s own instructions. I also discovered the following links which made me feel more obligated to post my findings.

    http://www.pagetable.com/?p=27
    http://forum.skype.com/index.php?showtopic=98518&st=160
    http://freedom-blog.net/2009/03/14/ten-reasons-why-you-should-boycott-skype/
    http://www.google.com/search?q=skype+spies+on+users

    I’ve noticed that verclsid.exe will occasionally pop up in process monitor while running skype, even though it hasn’t shown up in the past two days of leaving process monitor on while skype was closed. This happened even after I renamed the system32/verclsid.exe file to verclsid.bak, indicating they may be creating a file disguised as a valid windows process to do something the skype executable can’t, or doesn’t want to be caught doing.

    DON’T LET THEM SWEEP THIS UNDER THE RUG! DEMAND A REAL ANSWER OR AT LEAST TELL YOUR FRIENDS WHAT YOU’VE LEARNED HERE. BOYCOTT SKYPE!

    as a final note, here are some example lines copied from process monitor, with identifying info replaced with X’s for obvious reasons.

    [i]
    12:43:00.9131187 PM Skype.exe 3676 QueryInformationVolume C: SUCCESS VolumeCreationTime: XX/XX/XXXX XX:XX:XX PM, VolumeSerialNumber: XXXX-XXXX, SupportsObjects: True, VolumeLabel:

    5:23:45.2135337 AM Skype.exe 592 RegQueryValue HKLMSystemCurrentControlSetControlComputerNameComputerNameComputerName SUCCESS Type: REG_SZ, Length: 18, Data: XXXXXXX

    5:23:43.2928407 AM Skype.exe 592 RegQueryValue HKLMSOFTWAREMicrosoftWindowsCurrentVersionProductId SUCCESS Type: REG_SZ, Length: 48, Data: XXXXX-XXX-XXXXXXX-XXXXX

    5:23:43.2959626 AM Skype.exe 592 RegQueryValue HKLMHARDWAREDESCRIPTIONSystemMultifunctionAdapterXXDiskControllerDiskPeripheralIdentifier SUCCESS Type: REG_SZ, Length: 40, Data: XXXXXXXX-XXXXXXXX-X

    5:23:43.2609038 AM Skype.exe 592 RegSetValue HKCRSkype.DetectionCLSID(Default) SUCCESS Type: REG_SZ, Length: 78, Data: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
    (these two identifying strings are the same)
    5:23:43.2609946 AM Skype.exe 592 RegSetValue HKCRCLSID{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}ProgID(Default) SUCCESS Type: REG_SZ, Length: 32, Data: Skype.Detection

    5:23:42.4085004 AM Skype.exe 592 RegQueryValue HKLMSYSTEMWPAPnPseed SUCCESS Type: REG_DWORD, Length: 4, Data: XXXXXXXXXX
    [/i]

    Reply
  116. Fascinating!

    I was drawn to this site because my IP blocker, “PeerBlock” goes totally nuts when skype is switched on.

    Mainly blocking universities, all over the world.

    Reply
  117. I am lucky as I find and use this site to know my bios serial. But some problem was happened.

    Reply
  118. Привет всем!
    А почему собственно осНи программа вычисляет адреса йиОса и другие параметры системы Она вредить собирается? Она может делать обратную суППу иС части йиОса (напр. 1024байта) – Он ведь но изменяется программно (ну иНи почти) – почему-бы но использовать эти данные для аутентификации уникального ключа который используется для шифрования.

    Reply
  119. Pingback: Life is Short
  120. Они могут накапливать в своей базе серийник вашей мамки + твой логин. А значит следить какие логины использовались на одном компе.
    Сам факт какого-то постороннего кода уже подозрителен.. Что-то здесь не то!

    Reply
  121. Pingback: mean games
  122. Really i am impressed from this post….the person who created this post is a genious and knows how to keep the readers connected..thanks for sharing this with us.i found it informative and interesting. Looking forward for more updates..

    Reply
  123. In this day and age its always good to be on the alert. We all benefit in some way when knowledge is power. Power to people i say! It will always keep these huge companys on the alert, instead of big brother watching us, its our turn to keep watch on them. Good post!

    Reply
  124. Teper’ skajp sam sebia obnovliaet, neobxodim DotNet.4 i kak minimum Vista, dla poiska. inache voobshe fignia na ekrane.
    Podozrevaju 4to on eshe i proveriaet vxodiashie magnet linki – tipa torrenta itd.

    Reply
  125. Welcome to kokamera, a specialty shop for security goods and hidden cameras. All of our products have high mass, high cost performance, and free shipping. We are celebrating the opening of the store, and we are selling timely popular products! There are various types of cameras, but each one has its own application.

    Reply
  126. This article is very interesting and has a lot to gain. I also learned something from other places, namely https://www.jammermfg.com, which may be able to solve some of your privacy and security issues. Welcome to discuss it together.

    Reply

Leave a Comment