W32/Warpigs.B

description-logoAnalysis

  • Virus is 32bit with a compressed size of 67,104 bytes
  • File properties of the virus are the following:
    Description: Generic Host Process for Win32 Services
    Internal Name: winservices.exe
  • If virus is run, it will copy itself to the Windows\System32 folder as “Winupdate.exe” and then load into memory
  • Virus will attempt to locate machines across the network and connect with them in order to infect them – Virus will attempt to connect with target systems using the Administrator account and a hard-coded dictionary of passwords
  • Virus uses the imports “WNetAddConnection2A”, “NetScheduleJobAdd” and “NetRemoteTOD” as a means to connect with, install and initiate the virus on systems remotely
  • Virus may terminate these programs if they are running as a means to hide its activities –
    NETSTAT.EXE
    TASKMGR.EXE
    MSCONFIG.EXE
    REGEDIT.EXE
  • Virus may connect to an IRC channel and network and await instructions from a hacker or group of hackers
  • If the target system is Windows 98/Me, the virus may alter the SYSTEM.INI file into the [boot] section with the following instruction –
    shell = explorer.exe winupdate.exe
  • Virus may modify the registry to load at Windows startup –
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
    "windowsupdate" = winupdate.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "windowsupdate" = winupdate.exe

Telemetry logoTelemetry