W32/Warpigs.A

description-logoAnalysis

  • Virus is 32bit with a compressed size of 63,520 bytes
  • If virus is run, it will copy itself to the Windows\System32 folder as “Discworld.exe” and then load into memory
  • Virus will attempt to locate machines across the network and connect with them in order to infect them – Virus will attempt to connect with target systems using the Administrator account and a hard-coded dictionary of passwords
  • Virus uses the imports “WNetAddConnection2A”, “NetScheduleJobAdd” and “NetRemoteTOD” as a means to connect with, install and initiate the virus on systems remotely
  • Virus may terminate these programs if they are running as a means to hide its activities –
    NETSTAT.EXE
    TASKMGR.EXE
    MSCONFIG.EXE
    REGEDIT.EXE
  • Virus may connect to an IRC channel and network and await instructions from a hacker or group of hackers
  • Virus may modify the registry to load at Windows startup –
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
    "winsockdriver" = Discworld.exe me winsockdriver DiscWorld iroffer v1.2b13 [November 10th, 2001] By PMG, http://iroffer.org/ - CYGWIN_NT-5.0 1.3.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "winsockdriver" = Discworld.exe me winsockdriver DiscWorld iroffer v1.2b13 [November 10th, 2001] By PMG, http://iroffer.org/ - CYGWIN_NT-5.0 1.3.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS. Update\
    "bla" = (high ASCII characters)

Telemetry logoTelemetry