Home / malware Worm:Win32/Phorpiex.M
First posted on 18 February 2013.
Source: MicrosoftAliases :
Worm:Win32/Phorpiex.M is also known as Trojan.Win32.Jorik.IRCbot.waj (Kaspersky), BackDoor.IRC.Bot.2232 (Dr.Web), Trojan-PWS.Win32.Fareit (Ikarus), PWS-Zbot.gen.ary (McAfee), Troj/IRCbot-AKR (Sophos), WORM_PHORPIEX.JZ (Trend Micro).
Explanation :
Installation
When run, Worm:Win32/Phorpiex.M copies itself in subfolder of %UserProfile%, for example:
%UserProfile%\6489672321067478425\winsvc.exe
Some of the other file names it uses are the following:
- winmgr.exe
- winraz.exe
- winsam.exe
- winsvc.exe
- winsvn.exe
It also adds the following registry entry so that it automatically runs every time Windows starts, for example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows Update"
With data: "%UserProfile%\6489672321067478425\winsvc.exe"
Spreads via...
Worm:Win32/Phorpiex.M spreads itself to other computers via email. It downloads a list of email addresses to send itself to from a certain URL. The URL is provided by a remote attacker connected to your computer via IRC (see Payload section below for details).
The email it sends out may have the following details:
Attachment: <random number>-JPG.scr" inside a ZIP file, for example, "0540435562-JPG.zip"
Subject (any of the following):
I cant believe I still have this picture
I love your picture!
Is this you??
Picture of you???
Should I upload this picture on facebook?
Someone showed me your picture
Someone told me it's your picture
Take a look at my new picture please
Tell me what you think of this picture
This is the funniest picture ever!
What do you think of my new hair
What you think of my new hair color?
What you think of this picture?
You look so beautiful on this picture
You should take a look at this picture
Your photo isn't really that great
Removable and fixed drives
Worm:Win32/Phorpiex.M looks for existing drives with drive letters other than A: and B:.
In these drives, Worm:Win32/Phorpiex.M sets all folders in the drive to hidden, system, and read-only. It then creates shortcuts with the same file names as these folders. The shortcut file links to a worm copy located in a separate hidden folder.
For example, in this image, the folders "folder1", "folder2", and "folder3" have been marked by the worm as hidden, and the shortcut files "folder1", "folder2", and "folder3" all point to the hidden worm copy "843921.exe". The worm does this in an attempt to mislead you into thinking that the shortcut files are the folders.
Worm:Win32/Phorpiex.M also places a file named "autorun.inf" in the root folder of the target drive. This file may be detected as Worm:Win32/Autorun!inf. Such a file allows the worm copy to run when the drive is accessed and the Autorun feature is enabled. You should note that files named "autorun.inf" are not necessarily a sign of infection, as they are used by legitimate programs and installation media.
Payloads
Allows backdoor access and control
Worm:Win32/Phorpiex.M attempts to connect to an IRC server, join a channel, and wait for commands. Using this backdoor, an attacker can command the worm to perform a number of actions on your computer, including:
- Join a particular IRC channel
- Download and run arbitrary files from certain servers, such as that located in 74.208.195.229
- Spread itself or other malware
- Remove itself from your computer
- Get your computer's default locale
We have observed this worm downloading other Phorpiex variants (such as Worm:Win32/Phorpiex.T and Worm:Win32/Phorpiex.P) and other malware like TrojanDownloader:Win32/Dofoil.R.
Changes the Windows Firewall settings
Worm:Win32/Phorpiex.M adds itself to the list of applications that are authorized to access the Internet without being stopped by the firewall. It does this by making these changes to your registry, for example:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%UserProfile%\6489672321067478425\winsvc.exe"
With data: "%UserProfile%\6489672321067478425\winsvc.exe:*:Enabled:Microsoft Windows Update"
Additional information
Worm:Win32/Phorpiex.M checks if it's running in a virtual environment, and exits if it is. It does this to avoid analysis.
Analysis by Rodel Finones
Last update 18 February 2013