Follow:

 

Win32/Phorpiex


Win32/Phorpiex is a family of worms that spread via removable drives and IM (instant messaging) software. The worms also allow backdoor access and control.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
Removing a program exception

This threat may add a malware program to the Windows Firewall exception list. To remove the program exception, follow these steps:

For Windows 8 :

  1. Open Windows Firewall by swiping in from the right edge of the screen, tapping Search (or if you're using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search), entering firewall in the search box, tapping or clicking Settings, and then tapping or clicking Windows Firewall.
  2. In the left pane, tap or click Allow an app or feature through Windows Firewall.
  3. Tap or click Change settings. You might be asked for an admin password or to confirm your choice.
  4. Select the check box next to the app you want to allow, select the network types you want to allow communication on, and then click OK.

For Windows 7:

  1. Click Start, select Control Panel, then System and Security.
  2. Select Windows Firewall.
  3. On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  5. Select <program name> from the list of allowed programs and features. Click Remove.
  6. Click OK.

For Windows Vista:

  1. Click Start, select Control Panel, then Security Center.
  2. On the left-hand menu, select Windows Firewall.
  3. On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. Select <program name> from the list of allowed programs and features. Click Delete.
  5. Click OK.

For Windows XP:

  1. Use an administrator account to log on.
  2. Click Start, select Run, type wscui.cpl, and then click OK.
  3. In Windows Security Center, click Windows Firewall.
  4. On the Exceptions tab, click <program name> and then click Delete.
  5. Click OK.
Disable Autorun functionality

This threat attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling Autorun functionality, please see the following article:
http://support.microsoft.com/kb/967715/

 

Threat behavior

Win32/Phorpiex is a family of worms that spread via removable drives and IM (instant messaging) software. The worms also allow backdoor access and control.

Installation

You may have been infected by Win32/Phorpiex by connecting your computer to an already-infected removable drive, or from clicking a link in an IM window sent to you by an infected computer.

When run, variants of Win32/Phorpiex copy themselves to a folder in the %USERPROFILE% directory, for example:

%USERPROFILE%\M-1-52-5782-8752-5245

Note: %USERPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default location for the User Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>" or "C:\Users\<user>". For Windows Vista, 7, and 8, the default location is "C:\Users\<user name>".

The name of the folder changes from installation to installation of the worm.

Variants of Win32/Phorpiex have been observed to use the following file names when copying themselves:

  • windsrcn.exe
  • winmgr.exe
  • winsam.exe
  • winsam.exe
  • winsrvc.exe
  • winsvc.exe

The worm creates a registry entry to ensure that its copy runs at each Windows start, for example:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows Update"
With data: "%USERPROFILE%\M-1-52-5782-8752-5245\winsvc.exe"

Spreads via...

Removable drives

Variants of Win32/Phorpiex search for the presence of removable drives with a drive letter other than A: or B:.

If the worm finds a removable drive, it searches for any folders within the drive, sets that folder to "HIDDEN" and then creates a shortcut file that uses the folder's name and icon. The shortcut links to a copy of itself that the worm created in a separate hidden folder. It does this for all folders it finds on the drive.

The name, lack of an extension, and the use of the folder's icon are all designed to mislead you into thinking the worm is actually a folder, in the hopes that you will attempt to "open" that folder, and instead inadvertently run the worm.

In the pictured example below, the worm finds the removable drive, "G:". It then locates the folders "first", "second" and "third" in the drive.

The worm creates the folder "G:\84612795", and copies itself into it as "first.exe", "second.exe" and "third.exe". It then sets the folders "first", "second", "third" and "84612795" to "HIDDEN".

The worm creates three shortcut files (LNK) to its copies, using the same names as the three folders, "first.lnk", "second.lnk" and "third.lnk". It uses a folder icon for their icons, and removes the ".lnk" extension.

In this way, the worm intends for you to be lured in to "opening" what appear to be normal folders but are in fact shortcuts to the worm, which will then run. 

Variants of Win32/Phorpiex also place an "autorun.inf" file in the root directory of the targeted drive, which may be detected as Worm:Win32/Autorun!inf.

Such "autorun.inf" files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

It should be noted that "autorun.inf" files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.

Instant messaging software

Via their backdoor functionality, Win32/Phorpiex variants can be instructed to spread either themselves or other malware via IM software. When instructed to do so, the worm checks if any of the following applications are running on your computer:

  • AIM
  • Google Talk
  • ICQ
  • Paltalk
  • Windows Live Messenger
  • Xfire chat

If found, the worm randomly selects and posts a message, using the running IM software. The message is written in the language that is associated with your computer's location or region, and contains a link to the worm or other malware.

The following are some examples of the messages:

Arabic:

  • انظروا الى هذه الصورة

Armenian:

  • նայել այս նկարը

Belarusian and Ukrainian:

  • подивися на цю фотографію

Bulgarian:

  • Погледнете тази снимка

Chinese:

  • 看看這張照片 

Dutch:

  • ken je dat foto nog?
  • kijk wat voor een foto ik heb gevonden
  • ik hoop dat jij het net bent op dit foto
  • ben jij dat op dit foto?
  • dit foto zal je echt eens bekijken!
  • ken je dit foto al?

English:

  • tell me what you think of this picture i edited
  • this is the funniest photo ever!
  • tell me what you think of this photo
  • i don't think i will ever sleep again after seeing this photo
  • i cant believe i still have this picture
  • should i make this my default picture? 

German: 

  • wie findest du das foto?
  • hab ich dir das foto schon gezeigt?
  • schau mal das foto an
  • schau mal welches foto ich gefunden hab
  • bist du das auf dem foto?
  • kennst du das foto schon?

Greek:

  • ματιά σε αυτή την εικόνα 

Hebrew:

  • להסתכל על התמונה הזאת

Italian:

  • ti piace la foto?
  • hai visto questa foto?
  • la foto e grandiosa!
  • ti ricordi la Foto?
  • conosci la persona in questa foto?
  • chi e in questa foto?

Japanese:

  • この写真を見て

Korean:

  • 이 사진을 봐

Latvian:

  • Ieskatieties šajā attēlā 

Lithuanian:

  • pažvelgti į šį vaizdą

Maltese:

  • iħares lejn dan ir-ritratt

Portuguese:

  • olhar para esta foto

Romanian:

  • nu imi mai voi face niciodat poze!! toate ies urate ca asta.
  • spune-mi ce crezi despre poza asta.
  • asta e ce-a mai funny poza! tu ce zici?
  • zimi ce crezi despre poza asta?

Russian:

  • подивися на цю фотографію

Spanish:

  • creo que no voy a poder dormir más despues de ver esta foto. mirá.
  • esta foto es graciosísima! que decis?
  • mis padres me van a matar si ven esta foto mia, que decis?
  • mira como saliste en esta foto jajaja

Thai:

  • ดูรูปนี้ 
Payload

Allows backdoor access and control

Win32/Phorpiex attempts to connect to an IRC server, join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on your computer. This could include the following actions:

  • Join a particular IRC channel
  • Download and execute arbitrary files
  • Spread the worm or other malware via IM software
  • Perform a denial of service attack on a specified target
  • Remove the worm from your computer

Changes firewall settings

The malware adds itself to the list of applications that are authorized to access the Internet without being stopped by the firewall, by making modifications to your computer's registry.

Related encyclopedia entries

Worm:Win32/Autorun!inf

Analysis by Ray Roberts


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • In removable drives, the presence of hidden files, along with shortcuts that appear as folder icons, similar to these:


     
  • The presence of the following files:
     
    %USERPROFILE%\M-1-52-5782-8752-5245\windsrcn.exe
    %USERPROFILE%\M-1-52-5782-8752-5245\winmgr.exe
    %USERPROFILE%\M-1-52-5782-8752-5245\winsam.exe
    %USERPROFILE%\M-1-52-5782-8752-5245\winsam.exe
    %USERPROFILE%\M-1-52-5782-8752-5245\winsrvc.exe
     
  • The presence of the following registry modification:

    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Microsoft Windows Update"
    With data: "%USERPROFILE%\M-1-52-5782-8752-5245\winsvc.exe"


Prevention

 
Take the following steps to help prevent infection on your computer:
  • Enable a firewall on your computer
  • Get the latest computer updates for all your installed software
  • Use up-to-date antivirus software
  • Limit user privileges on the computer
  • Use caution when opening attachments and accepting file transfers
  • Use caution when clicking on links to webpages
  • Avoid downloading pirated software
  • Protect yourself against social engineering attacks
  • Use strong passwords
Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites. Instructions on how to download the latest versions of some common software is available from the following:

You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software, such as Microsoft Security Essentials, that is updated with the latest signature files. For more information, see 'Consumer security software providers'.

Limit user privileges on the computer

Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.

You can configure UAC in your computer to meet your preferences:

Use caution when opening attachments and accepting file transfers

Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.

Use caution when clicking on links to webpages

Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content.

Avoid downloading pirated software

Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see 'The risks of obtaining and using pirated software'.

Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer.

Use strong passwords

Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see 'Create strong passwords'.


Alert level: Severe
This entry was first published on: Nov 12, 2012
This entry was updated on: Nov 13, 2012

This threat is also detected as:
  • Win32/Zehbilas (ESET)