Warpigs.B contains a really long password list with more than 1600 entries.
The worm uses these when scanning for vulnerable hosts. If any of the passwords gives access to the victim the worm copies itself there.
Warpigs.B has a copy of the psexec.exe tool in its body. Psexec is used to copy and run the worm on vulnerable hosts.
When Warpigs.B enters a system it copies itself to the System Directory as 'winupdate.exe'. It add references to this copy in the registry as:
The infected copy is also added to system.ini as:
With these modifications the worm makes sure that it will be started everytime the computer is started.
When scanning for vulnerable remote systems the worm drops a UPX packed copy the popular network tool psexec.exe. This file is dropped to the System Directory as 'pqonwe.exe'.
Warpigs.B is built around an IRC controlled backdoor component. The backdoor provides a remote attacker with full control over the infected machine.
When the worm is started the backdoor component connects to a predefined IRC channel. The IRC server this worm uses listens on port 5000 instead of the usual 6667 like other IRC servers.
The backdoor has a command for updating the worm from a predefined website. The website is not reachable at this point anymore.
F-Secure has created a special disinfection tool for this worm. F-Warpigs kills the running copy of the worm from the memory, removes the infected files and reverts the configuration changes the worm had made.
The F-Warpigs tool is available for download from: