Warpigs.B

Classification

Malware

Worm

W32

Warpigs.B, W32/Warpigs.B, W32/Warpi.worm, W32.HLLW.Warpigs.B

Summary

Warpigs.B is a network worm with an IRC backdoor and self-updating capabilities. Warpigs.B was written in Visual C++ and it spreads in UPX packed form with the size of around 67KB.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Network spreading

Warpigs.B contains a really long password list with more than 1600 entries.

The worm uses these when scanning for vulnerable hosts. If any of the passwords gives access to the victim the worm copies itself there.

Warpigs.B has a copy of the psexec.exe tool in its body. Psexec is used to copy and run the worm on vulnerable hosts.

System infection

When Warpigs.B enters a system it copies itself to the System Directory as 'winupdate.exe'. It add references to this copy in the registry as:

'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\windowsupdate'
 

and

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowsupdate'
 

The infected copy is also added to system.ini as:

[Boot]
Shell=explorer winupdate.exe
 

With these modifications the worm makes sure that it will be started everytime the computer is started.

When scanning for vulnerable remote systems the worm drops a UPX packed copy the popular network tool psexec.exe. This file is dropped to the System Directory as 'pqonwe.exe'.

Backdoor

Warpigs.B is built around an IRC controlled backdoor component. The backdoor provides a remote attacker with full control over the infected machine.

When the worm is started the backdoor component connects to a predefined IRC channel. The IRC server this worm uses listens on port 5000 instead of the usual 6667 like other IRC servers.

The backdoor has a command for updating the worm from a predefined website. The website is not reachable at this point anymore.

Removal

F-Secure has created a special disinfection tool for this worm. F-Warpigs kills the running copy of the worm from the memory, removes the infected files and reverts the configuration changes the worm had made.

The F-Warpigs tool is available for download from:

ftp://ftp.f-secure.com/anti-virus/tools/f-warpigs.zip

Date Created: -

Date Last Modified: -