Home / malwarePDF  

Win32.PiBi.A@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.PiBi.A@mm is also known as N/A.

Explanation :

Win32.Pibi.A@mm spreads by sending e-mail messages with the worm attached in executable format, by sending itself (in .zip format) to other IRC users and by tricking KaZaA users to download the worm from infected users. It was written in Visual C++ and packed with UPX.

It arrives in an email in one of the following formats:

From: (address of infected user)
Subject:Hello
Body:
You will find all you need in the attachment.
Attachment: setup.exe

From:john@barrysworld.com
Subject: Hello
Body:
You will find all you need in the attachment.
Attachment:setup.exe

From: "Microsoft"
Reply-To:"Microsoft"
Subject:Internet Explorer vulnerability patch
Body:
You will find all you need in the attachment.
Attachment:setup.exe

When executed, the worm:
- attempts to terminate the execution of processes that contain the substring "AV" in the name of one of the modules;
- creates the registry entry HKLMSoftwareRedCellinfected with the value "yes";
- copies itself in the "System" subfolder of the Windows folder with the name "winsysNNN.exe" (where NNN is a random number) and creates the registry entry "HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindows task32 sys" in order for the copy of the worm to be run at Windows start-up;
- copies itself in the KaZaA shared folder with one of the names described above;
- creates a ZIP archive (named "win32sysNNN.zip") containing the worm in the "System" subfolder of the Windows folder, if WinZip is installed, and changes the mIRC "script.ini" file in order to send the ZIP-compressed virus to other users on the chat server, if mIRC is installed;
- copies the worm body (in Base64 format) in the file "C:Msbootlog.sys"; this copy will then be used to create email attachments;
- sends email messages (in the format described above) to addresses found in .HTM files in the "Temporary Internet Files" folder; information about the user's email account and SMTP server is read from the registry if possible, otherwise the virus uses a hardcoded email address and SMTP server (john@barrysworld.com / smtp.barrysworld.com); a timer is set to attempt to send emails every 50 seconds;
- displays the following message box:



- if the current date is 15 September, displays this message box too:

Last update 21 November 2011

 

TOP