Home / malwarePDF  

Win32.PiBi.B@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.PiBi.B@mm is also known as I-Worm.PieceByPiece.B, (Red, Cell.

Explanation :

The second version of Win32.Pibi.A@mm also spreads by using mass-mailing, IRC and file sharing applications; it was written in Visual C++ and packed with UPX.
It arrives attached to an email message in one of the following formats:
From: (address of infected user)
Subject: Re: hya
Body: Istall the program in the attachment.
Attachment: install.exe
From: "Microsoft"
Reply-To: "Microsoft"
Subject: WindowsXP Service Release Pack 2.002
Body: Istall the program in the attachment.
Attachment: install.exe
The worm will attempt to terminate the execution of some antivirus programs, by scanning for modules containing one of the following substrings in the name:
AV, F-, av, NOD32, SCAN, MON, ALERT, ANTIVIR, PCCW, PCC, FP-, TRAP, TDS2-, VET, SWEEP, MCAFEE, FIREW, DVP, CFI, ICL, VSHW
When run for the first time, the virus will:
- create the registry entry "HKLM\Software\PieceByPieceB\inf" with the value "yep";
- make a copy of itself in \system\wsysNNN.exe (where NNN is a random number), and create the registry entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32.dll module" in order for Windows to run that copy at every start-up.
- copy itself (with one of the following names: wmplay9.exe, wamp3.exe, winxpserial.exe, kmd22.exe) in the shared folders of Kazaa, Morpheus, BearShare and eDonkey2000, in order to spread to other users of those file sharing applications;
- create a .zip archive of itself in \system\w32sysNNN.zip (if WinZip is installed) and modify script.ini in the mIRC folder in order to send this archive to other users on the chat server (if mIRC is installed); the infected user will also automatically join the #pbpB chat channel;
- create a base64-encoded copy of the worm in C:\boot64.bin (used for email attachments) and send email messages in the format described above to addresses found by scanning *.htm files in the Temporary Internet Files folder;
- display the following message box:

The worm then calls the RegisterServiceProcess API function in order to hide itself from the list of running tasks (in Windows 9x) and to continue running after the current user logs off the machine. It will once again call the mass-mailing routine, and also set a timer to call that routine every 50 seconds.
On October 18th the virus displays the following lyrics:

Last update 21 November 2011

 

TOP