Virus

W32/Phaze.A!p2p

Analysis

  • Copies itself as the following:
    • undefinedProgramFilesundefined\winupdates\winupdates.exe
    • undefinedSystemRootundefined\s.tmp
    • undefinedSystemRootundefined\a.zip

  • Drops the file bszip.dll  in the System folder.
  • Attempts to disable several programs by creating the following files in the Sytem folder, and setting the hidden and system attributes:
    • taskkill.com
    • tasklist.com

  • Creates the hidden folder Uploads  in the System root folder.
  • Displays the following message:
    Title: Setup
    Body: Welcome to the Setup Wizard
    It is recommended that you close all other applications before continuing.
    Click Next to continue, or cancel to exit Setup.
    When the user clicks on Next, it displays the following error message:
    Title: Setup
    Body: Version has expired please download software update.

    Peer-to-peer (P2P) Propagation
  • Attempts to connect to http://windowsupdate.microsoft.com  in order to verify that the computer is connected to the internet.
  • Generates file names by appending the string .zip  to strings extracted from the following websites:
    • http://www.phazeddl.com
    • http://katz.ws
    • http://justddl.com
    • http://qualityddl.com
    • http://satanwarez.com
    • http://warezbox.com
    • http://powerddl.com
    • http://fullddl.net
    • http://www.ddlspot.com
    • http://gotddl.com
    • http://ddldirect.com
    • http://x-ddl.com

  • Copies undefinedSystemRootundefined\a.zip  to the following locations:
    • undefinedSystemRootundefined\Uploads\[FILE NAME].zip
    • undefinedSystemRootundefinedMy Shared Folder\[FILE NAME].zip
    • undefinedUserProfileundefined\shared\[FILE NAME].zip
    • undefinedProgramFilesundefined\Ares\My Shared Folder\[FILE NAME].zip
    • undefinedProgramFilesundefined\eMule\Incoming\[FILE NAME].zip
    • undefinedProgramFilesundefined\Kazaa\My Shared Folder\[FILE NAME].zip
    • undefinedProgramFilesundefined\morpheus\My Shared Folder\[FILE NAME].zip
    • undefinedProgramFilesundefined\grokster\my grokster\[FILE NAME].zip
    • undefinedProgramFilesundefined\Bearshare\Shared\[FILE NAME].zip
    • undefinedProgramFilesundefined\Limewire\Shared\[FILE NAME].zip
    • undefinedProgramFilesundefined\Edonkey2000\Incoming\[FILE NAME].zip
    • undefinedProgramFilesundefined\gnucleus\downloads\[FILE NAME].zip
    • undefinedProgramFilesundefined\shareaza\downloads\[FILE NAME].zip
    • undefinedProgramFilesundefined\rapigator\[FILE NAME].zip

  • Attempts to start Limewire, if it is installed on the compromised computer.

Recommended Action

    FortiGate systems:
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.