W32/Pilif
Analysis
This virus is 32-bit with a UPX packed file size of 20,480 bytes. This virus uses its own SMTP code and mass-mailing routine to distribute itself to others. It contains additional code to copy itself to popular P2P shared folders, mapped network drives, and to IRC users via dcc.
If the virus is run, it copies itself to the System32 folder, then modifies the registry to
- disable Outlook warning
- disable Task Manager
The virus changes the registry in these values -
HKEY_CURRENT_USER\Identities\{undefinedunique
IDundefined}\Software\Microsoft\
Outlook Express\5.0\Mail
"Warn on Mapi Send" = 0x0
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System
"DisableTaskMgr" = 01, 00, 00, 00
While the virus is running in memory, it will also
disable use of the START button.
Loading at Windows Startup
The virus will register itself to load from this registry
key -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Pilif" = C:\WINNT\System32\Pilif.exe
Mass-mailing routine
The virus searches the hard drive for email addresses
and stores found addresses into a file "adrbook"
in the System32 folder. The virus creates email messages
using a list of possible subject lines and body text.
Possible attachment file names -
manifesto
pilif
sustain cause
details
attachement
Manifesto anti pilif
Manifesto details
Freedom of expression
Simple solution
Goverment issue
The files will have one of these extensions - .scr, .pif, .bat, .com or .cmd.
P2P shared folder population
The virus will copy itself as one of these file names
into the shared folders for numerous P2P applications
-
Norton 2004 crack
Kasperky AV Universal Key
Dark Coderz Alliance
Anti-hacker Utility
Cracks mega warez collection
Sex - totally free porn
Easy credit card validation
Yahoo hacker
Webmail official hacker
Free porn sites accounts
The files will have one of these extensions - .scr, .pif, .bat, .com or .cmd. The virus will copy itself to these folder locations -
\KMD\Shared
Folder
\Kazaa\My Shared Folder
\Shareaza\downloads
\Morpheus\My Shared Folder
\Grokster\My Grokster
\BearShare\Shared
\Edonkey2000\Incoming
\limewire\Shared
\icq\shared files
\WinMX\my shared folder
Pilif will modify the registry to minimize security settings for Morpheus and Kazaa by removing virus scanning settings [for downloaded files] and to enable sharing of the shared folder.
IRC infection vector
The virus will search for installations of mIRC, an
Internet chat client. If mIRC is located on the system,
the virus will copy itself as the file "Manifesto
Anti Censore Pilif.txt.exe" to the installation
folder. Next, Pilif will modify the base configuration
file to send "Manifesto Anti Censore Pilif.txt.exe"
to others when joining chat channels.
Mapped network drives copy routine
The virus will search for mapped drives using a short
script. For all files found, the virus will copy itself
as one of these files -
manifesto
pilif
sustain cause
details
attachement
Manifesto anti pilif
Manifesto details
Freedom of expression
Simple solution
Goverment issue
The files will have one of these extensions - .scr, .pif, .bat, .com or .cmd.
Miscellaneous
The virus contains these strings embedded in its body
which is not displayed -
Only two things are infinite : The Universe and Human Stupidity. And I am not sure about the Universe - A.Einstein
Happy birthday Ombladon! Fuck you Pilif...
Feel how it
is to have your basic rights taken away!
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |