Piggi

Technical Details

System Infection

Upon execution, Piggi.A creates the following registry entries so as to start automatically with Windows:

• [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] top\worm = [malware's path and filename]
• [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] SvcHost = "C:\WINDOWS\system32\svchost.exe:svchost.exe"

It also drops a file named msfsr.sys in the Windows system directory and another random .sys file on C:\WINDOWS\system32\drivers\ and starts them as a service.

These are the registry keys for the services Piggi.A creates:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msfsr
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random_name]

It will also copy itself to "C:\Program Files\Internet Explorer\iexplore.exe". The original iexplore.exe will be moved to the folder:

• C:\WINDOWS\system32\dllcache\

It also creates copies of itself to folders with the following strings:

• BearShare
• Collections
• Downloads
• my shared folder
• share
• shared
• upload
• uploads

The filename is any of the following:

• 10,000 B.C.
• 28 Weeks Later
• 30 Days of Night
• 30 Rock season 2
• Across the Universe
• Age of Conan-Hyborian Adventures
• Alpha Dog
• American Gangster
• Angel-A
• Angelina Jolie(unseen)
• Are We Done Yet?
• Atonement
• August Rush
• Balls of Fury
• Because I Said So
• Beowulf
• Black Book
• Blades of Glory
• Breach
• Britney Spears(unseen)
• Brother & Sisters season 2
• Captivity
• Carmen Electra(unseen)
• Command & Conquer 3-Tiberium Wars
• Company of Heroes
• Criminal Minds - next season
• CSI-London
• Dallas
• Dancing with the Stars - next season
• Death at a Funeral
• Delta Farce
• Desperados 2-Cooper's Revenge
• Desperate Housewives - next season
• Disturbia
• Dragon Age
• Dreamfall-The Longest Journey
• Dungeons & Dragons Online-Stormreach
• Eastern Promises
• El Cantante
• Elder Scrolls IV-Oblivion
• Enchanted
• Enemy Territory-Quake Wars
• Epic Movie
• Evening
• Fantastic Four 2
• Final Fantasy XIV
• Firehouse Dog
• Fly Me to the Moon
• Foodfight!
• Fracture
• Fragile
• Freedom Writers
• Full Auto 2-Battlelines
• Full of It
• Gears of War
• Ghost Recon-Advanced Warfighter
• Gilmore Girls season 8
• God Grew Tired of Us
• Gran Turismo HD
• Grand Theft Auto IV
• Grind House
• Guild Wars-Factions
• Hairspray
• Half-Life 2-Aftermath
• Halloween
• Hannibal Rising
• Hellgate-London
• Heroes of Might & Magic V
• Hilary Duff(unseen)
• His Dark Materials-The Golden Compass
• Horton Hears a Who
• Hostel 2
• Hot Fuzz
• Hot Rod
• In the Land of Women
• Inkheart
• Iron Man
• Jennifer Lopez(unseen)
• Jessica Alba(unseen)
• Jessica Simpson(unseen)
• Journey 3-D
• Jumper
• Kidnapped season 2
• Kingdom Hearts 2
• Kung Fu Panda
• La Vie en Rose
• Lucky You
• Lust, Caution
• Master of Time and Space
• Metal Gear-Subsistence
• Metroid Prime Hunters
• No Reservations
• Ocean's Thirteen
• Offside
• Okami
• Opus-The Last Christmas
• Pamela Anderson(unseen)
• Paris Hilton(unseen)
• Pathfinder
• Perfect Stranger
• Pride
• Pride & Glory
• Prison Break season 3
• Prom Night (2007)
• Rainbow Six-Vegas
• Red Steel
• Reservation Road
• Resistance-Fall of Man
• Rise of Nations-Rise of Legends
• Rocket Science
• Rogue
• Romeo & Juliet-Sealed with a Kiss
• S.T.A.L.K.E.R.-Shadow of Chernobyl
• Scrubs - next season
• Seven Day Itch
• Severance
• Shoot 'Em Up
• Shooter
• Skinwalkers
• Slow Burn
• Smokin' Aces
• South Park season 11
• Southland Tales
• Splinter Cell Essentials
• Splinter Cell-Double Agent
• Spring Breakdown
• Standoff season 2
• Star Trek-Legacy
• Star Wars-Empire at War
• Starcraft-Ghost
• Stardust
• Stomp the Yard
• Strange Wilderness
• Strangers
• Sunshine
• Super Bad
• Supreme Commander
• Surf's Up
• Talk to Me
• The Assassination of Jesse James
• The Astronaut Farmer
• The Dark Is Rising
• The Flock
• The Half Life of Timofey Berezin
• The Hitcher
• The Hoax
• The Host
• The Ice at the Bottom of the World
• The Invasion
• The Invisible
• The Kingdom
• The Last Legion
• The Last Sin Eater
• The Lives of Others
• The Lord of the Rings-The Battle for Middle-earth II
• The Messengers
• The Namesake
• The Nine season 2
• The Number 23
• The OC season 5
• The Office season 4
• The Reaping
• The Simpsons
• The Spiderwick Chronicles
• The Transformers
• The TV Set
• The Ultimate Gift
• The Valet
• The Waterhorse
• This Christmas
• Til Death season 2
• Too Human
• Trade
• Trick 'r Treat
• Ugly Betty season 2
• Underdog
• Untraceable
• Vacancy
• Vanguard Saga of Heros
• Vantage Point
• Veronica Mars - next season
• Vista
• Vista Ultimate
• Whisper
• Wild Hogs
• Without a Trace - next season
• Wonder Woman
• World of Warcraft-The Burning Crusade
• Zodiac

The file name includes any of the following extensions:

• - Full.exe
• - Keygen.exe
• .avi.com
• .iso.exe
• .mp4.com
• .zip.exe

Examples:

• Half-Life 2-Aftermath.avi.com
• World of Warcraft-The Burning Crusade - Keygen.exe
• World of Warcraft-The Burning Crusade.mp4.com

Stops Antivirus Services

Piggi.A also stops running antivirus services with the following names:

• McShield
• navapsvc
• SymAppCor

Then copies itself to the following folders:

• C:\Program Files\McAfee.com\Agent\mcupdate.exe
• C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
• C:\Program Files\Symantec\LiveUpdate\LUALL.EXE

This is to ensure that these antivirus applications cannot perform an automatic update.

Rootkit Capability

This malware hides its own process and files using two kernel-mode drivers.

These are:

• msfsr.sys - dropped in the Windows system directory and run as service. This creates a device, so that user-mode can communicate with it and allows the user-mode component to hide any process_id it wants.
• [random_name].sys - dropped in %windir%\system32\drivers\ and run as service. This hides any files that are defined in the created c:\zyxwvuts.log file. Below is an example of the string inside the said file:

Spreading via email

The worm collects email addresses from the infected computer. It locates the WAB (Windows Address Book) file and Temporary Internet files. The following are the details:

The worm sends itself as attachment to the gathered email addresses using the following format:

• TO:
• FROM: The From field may use any of these addresses:
• They may use any of these domain names:
• SUBJECT:
• ATTACHMENT: The filenames of the attachment may contain any of these strings:
• With any of the following extensions:
• Example:
• BODY: This malware uses a pool of strings to search and combine to create the body of the email. The following are some of the strings that can be found in the email's body:

Below are examples of the the possible string combinations that can be found in the body of the email:

• Hello, I found this picture (attached) of you on somebody's blog. Maybe you should look at it straight away. I can't believe you would publish that yourself.

• Hi, I saw this amazing free deal on the web. This is a one time offer. Your own Nintendo Wii totally free. Just open the attachment for details.

Other

Piggi.A also continues queries to the site mi5.gov.uk.

This malware comes packed with Yoda Protector 1.03.3