Piggi.A mass mails itself and collects email addresses. Piggi.A kills processes belonging to anti-virus and security software and has a rootkit functionality.
F-Secure provides disinfection tools for certain malware. These tools can be downloaded from this webpage:
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Upon execution, Piggi.A creates the following registry entries so as to start automatically with Windows:
It also drops a file named msfsr.sys in the Windows system directory and another random .sys file on C:\WINDOWS\system32\drivers\ and starts them as a service.These are the registry keys for the services Piggi.A creates:
It will also copy itself to "C:\Program Files\Internet Explorer\iexplore.exe". The original iexplore.exe will be moved to the folder:
It also creates copies of itself to folders with the following strings:
The filename is any of the following:
The file name includes any of the following extensions:
Piggi.A also stops running antivirus services with the following names:
Then copies itself to the following folders:
This is to ensure that these antivirus applications cannot perform an automatic update.
This malware hides its own process and files using two kernel-mode drivers.These are:msfsr.sys - dropped in the Windows system directory and run as service. This creates a device, so that user-mode can communicate with it and allows the user-mode component to hide any process_id it wants. [random_name].sys - dropped in %windir%\system32\drivers\ and run as service. This hides any files that are defined in the created c:\zyxwvuts.log file. Below is an example of the string inside the said file:
The worm collects email addresses from the infected computer. It locates the WAB (Windows Address Book) file and Temporary Internet files. The following are the details:
The worm sends itself as attachment to the gathered email addresses using the following format:
The From field may use any of these addresses:
They may use any of these domain names:
The filenames of the attachment may contain any of these strings:
With any of the following extensions:
This malware uses a pool of strings to search and combine to create the body of the email. The following are some of the strings that can be found in the email's body:
Below are examples of the the possible string combinations that can be found in the body of the email:
Hello, I found this picture (attached) of you on somebody's blog. Maybe you should look at it straight away. I can't believe you would publish that yourself. Hi, I saw this amazing free deal on the web. This is a one time offer. Your own Nintendo Wii totally free. Just open the attachment for details.
Piggi.A also continues queries to the site mi5.gov.uk.This malware comes packed with Yoda Protector 1.03.3