Follow:

You have been re-routed to the Worm:Win32/Phorpiex.B write up because Worm%3aWin32%2fPhorpiex.B has been renamed to Worm:Win32/Phorpiex.B
 

Worm:Win32/Phorpiex.B


Worm:Win32/Phorpiex.B is a worm that spreads via removable drives and Windows Live Messenger, and contains backdoor functionality.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Worm:Win32/Phorpiex.B is a worm that spreads via removable drives and Windows Live Messenger, and contains backdoor functionality.

Installation

When executed, Worm:Win32/Phorpiex.B creates a copy of itself at the following file location, then executes this copy:  

  • %USERSPROFILE%\M-1-74-6482-7942-8945\winsvc.exe 

The worm then makes the following changes to the registry to ensure its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "Microsoft® Windows Update"
With data: "%USERSPROFILE%\M-1-74-6482-7942-8945\winsvc.exe"

Spreads via…

Removable drives

The worm enumerates drives on the infected computer, looking for removable drives (that are not A: and B:).

If found, the worm makes a copy of itself, such as the following, with 'hidden' and 'system' file attributes:

  • <Drive>:\windrvs32.exe 

The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.

If the worm finds any folders on the removable drive, it sets the 'hidden' attribute for these folders and creates a shortcut file with the name of the folder. This shortcut file points to a copy of the malware which is stored in a hidden folder within the drive named "94728631". For example, if the worm finds '<Drive>:\MyFolder', it creates '<Drive>:\MyFolder.lnk' which points to a copy of the worm, as in '<Drive>:\94728631\MyFolder.exe'.

Windows Live Messenger

Worm:Win32/Phorpiex.B checks to see if Windows Live Messenger is installed on the infected computer, and if found, it sends a message to all of the infected user's contacts with a message and a link to a copy of itself.

The message can be one of several different phrases, and is dependent on the locale and system language of the infected computer. Some examples of the message can be seen below:

  • English:
    • tell me what you think of this picture i edited
    • this is the funniest photo ever!
    • tell me what you think of this photo
    • i don't think i will ever sleep again after seeing this photo
    • i cant believe i still have this picture
    • should i make this my default picture?
  • French:
    • je ne pense pas que je vais pouvoir dormir après avoir vu ces photos.
    • je n'arrive pas a croire que j'ai encore cette photo de toi depuis l'hiver dernier.
    • devrais-je mettre cette photo de profile?
    • c'est la photo la plus marrante!
    • dis moi ce que tu pense de cette photo de moi?
    • mes parents vont me tués si ils trouvent cette photo 
  • Spanish:
    • creo que no voy a poder dormir más despues de ver esta foto. mirá
    • no puedo creer que todav
    • a tengo esta foto tuya del invierno pasado, te acordas?
    • quedarí a bien si pongo esta foto en mi perfil? o me veo medio mal?
    • esta foto es gracios
    • mis padres me van a matar si ven esta foto mia, que decis?
  • German:
    • wie findest du das foto?
    • hab ich dir das foto schon gezeigt?
    • das foto solltest du wirklich sehen
    • schau mal das foto an
    • unglaublich welche fotos leute von sich machen schau mal
    • so will ich nicht aussehen wenn ich alt bin
    • schau mal welches foto ich gefunden hab
    • bist du das auf dem foto?
    • kennst du das foto schon?
  • Dutch
    • ken je dat foto nog?
    • kijk wat voor een foto ik heb gevonden
    • zo iets leilijk heb ik nog nooit in mijn leven gezien
    • ik hoop dat jij het net bent op dit foto
    • ben jij dat op dit foto?
    • dit foto zal je echt eens bekijken!
    • ken je dit foto al?
  • Romanian:
    • nu imi mai voi face niciodat poze!! toate ies urate ca asta.
    • spune-mi ce crezi despre poza asta.
    • asta e ce-a mai funny poza! tu ce zici?
    • zimi ce crezi despre poza asta?
    • nu cred ca voi mai putea dormi dupa ce am vazut poza asta. tu ce zici?
  • Italian:
    • ti piace la foto?
    • hai visto questa foto?
    • la foto e grandiosa!
    • ti ricordi la Foto?
    • dopo che hai visto la foto, tu non dormirai piu
    • conosci la persona in questa foto?
    • chi e in questa foto?
Payload

Modifies system security settings

The worm may modify the affected computer's security settings by making changes to the registry; by doing so, it adds itself to the list of trusted processes that are authorized to access the network. It may do this by adding an entry to the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Allows backdoor access and control

Worm:Win32/Phorpiex.B attempts to connect to the IRC server "srv6207.com", join a channel and wait for commands.

Using this backdoor, an attacker can perform a number of actions on an affected computer, including the following:

  • Remove itself
  • Download and execute arbitrary files
  • Spread via Windows Live Messenger
  • Perform a Denial of Service attack (SYN flood) on a specific target

Analysis by Amir Fouda


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    %USERSPROFILE%\M-1-74-6482-7942-8945\winsvc.exe
    <Drive>:\windrvs32.exe
  • The presence of the following registry modifications:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
    Sets value: "Microsoft® Windows Update"
    With data: "%USERSPROFILE%\M-1-74-6482-7942-8945\winsvc.exe"
  • The display of the following messages in Windows Live Messenger:

    • English:
      • tell me what you think of this picture i edited
      • this is the funniest photo ever!
      • tell me what you think of this photo
      • i don't think i will ever sleep again after seeing this photo
      • i cant believe i still have this picture
      • should i make this my default picture?
    • French:
      • je ne pense pas que je vais pouvoir dormir après avoir vu ces photos.
      • je n'arrive pas a croire que j'ai encore cette photo de toi depuis l'hiver dernier.
      • devrais-je mettre cette photo de profile?
      • c'est la photo la plus marrante!
      • dis moi ce que tu pense de cette photo de moi?
      • mes parents vont me tués si ils trouvent cette photo
    • Spanish:
      • creo que no voy a poder dormir más despues de ver esta foto. mirá
      • no puedo creer que todav
      • a tengo esta foto tuya del invierno pasado, te acordas?
      • quedarí a bien si pongo esta foto en mi perfil? o me veo medio mal?
      • esta foto es gracios
      • mis padres me van a matar si ven esta foto mia, que decis?
    • German:
      • wie findest du das foto?
      • hab ich dir das foto schon gezeigt?
      • das foto solltest du wirklich sehen
      • schau mal das foto an
      • unglaublich welche fotos leute von sich machen schau mal
      • so will ich nicht aussehen wenn ich alt bin
      • schau mal welches foto ich gefunden hab
      • bist du das auf dem foto?
      • kennst du das foto schon?
    • Dutch
      • ken je dat foto nog?
      • kijk wat voor een foto ik heb gevonden
      • zo iets leilijk heb ik nog nooit in mijn leven gezien
      • ik hoop dat jij het net bent op dit foto
      • ben jij dat op dit foto?
      • dit foto zal je echt eens bekijken!
      • ken je dit foto al?
    • Romanian:
      • nu imi mai voi face niciodat poze!! toate ies urate ca asta.
      • spune-mi ce crezi despre poza asta.
      • asta e ce-a mai funny poza! tu ce zici?
      • zimi ce crezi despre poza asta?
      • nu cred ca voi mai putea dormi dupa ce am vazut poza asta. tu ce zici?
    • Italian:
      • ti piace la foto?
      • hai visto questa foto?
      • la foto e grandiosa!
      • ti ricordi la Foto?
      • dopo che hai visto la foto, tu non dormirai piu
      • conosci la persona in questa foto?
      • chi e in questa foto?

Prevention


Alert level: Severe
First detected by definition: 1.109.1159.0
Latest detected by definition: 1.177.2299.0 and higher
First detected on: Aug 05, 2011
This entry was first published on: Aug 05, 2011
This entry was updated on: Sep 05, 2011

This threat is also detected as:
No known aliases