F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Warpigs.B





NAME:Warpigs.B
ALIAS:W32/Warpigs.B, W32/Warpi.worm, W32.HLLW.Warpigs.B

Warpigs.B is a network worm with an IRC backdoor and self-updating capabilities. Warpigs.B was written in Visual C++ and it spreads in UPX packed form with the size of around 67KB.

Network spreading

Warpigs.B contains a really long password list with more than 1600 entries. The worm uses these when scanning for vulnerable hosts. If any of the passwords gives access to the victim the worm copies itself there. Warpigs.B has a copy of the psexec.exe tool in its body. Psexec is used to copy and run the worm on vulnerable hosts.

System infection

When Warpigs.B enters a system it copies itself to the System Directory as 'winupdate.exe'. It add references to this copy in the registry as 

 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\windowsupdate'

and 

 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowsupdate'

The infected copy is also added to system.ini as 

 [Boot]
 Shell=explorer winupdate.exe

With these modifications the worm makes sure that it will be started everytime the computer is started.

When scanning for vulnerable remote systems the worm drops a UPX packed copy the popular network tool psexec.exe. This file is dropped to the System Directory as 'pqonwe.exe'.

Backdoor

Warpigs.B is built around an IRC controlled backdoor component. The backdoor provides a remote attacker with full control over the infected machine.

When the worm is started the backdoor component connects to a predefined IRC channel. The IRC server this worm uses listens on port 5000 instead of the usual 6667 like other IRC servers.

The backdoor has a command for updating the worm from a predefined website. The website is not reachable at this point anymore.

Removal

F-Secure has created a special disinfection tool for this worm. F-Warpigs kills the running copy of the worm from the memory, removes the infected files and reverts the configuration changes the worm had made.

The F-Warpigs tool is available for download from

ftp://ftp.f-secure.com/anti-virus/tools/f-warpigs.zip

Detection

Detection of the Warpigs.B worm is available in the following FSAV update:

[FSAV_Database_Version] Version=2003-07-23_03

[Analysis: Gergely Erdelyi; F-Secure Corporation; July 23rd, 2003]