W32/Warpigs.B
Analysis
- Virus is 32bit with a compressed size of 67,104
bytes
- File properties of the virus are the following:
Description: Generic Host Process for Win32 Services
Internal Name: winservices.exe
- If virus is run, it will copy itself to the Windows\System32
folder as “Winupdate.exe” and then load
into memory
- Virus will attempt to locate machines across the
network and connect with them in order to infect them
– Virus will attempt to connect with target
systems using the Administrator account and a hard-coded
dictionary of passwords
- Virus uses the imports “WNetAddConnection2A”,
“NetScheduleJobAdd” and “NetRemoteTOD”
as a means to connect with, install and initiate the
virus on systems remotely
- Virus may terminate these programs if they are
running as a means to hide its activities –
NETSTAT.EXE
TASKMGR.EXE
MSCONFIG.EXE
REGEDIT.EXE
- Virus may connect to an IRC channel and network
and await instructions from a hacker or group of hackers
- If the target system is Windows 98/Me, the virus
may alter the SYSTEM.INI file into the [boot] section
with the following instruction –
shell = explorer.exe winupdate.exe
- Virus may modify the registry to load at Windows
startup –
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
"windowsupdate" = winupdate.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"windowsupdate" = winupdate.exe