W32/Warpigs.A
Analysis
- Virus is 32bit with a compressed size of 63,520
bytes
- If virus is run, it will copy itself to the Windows\System32
folder as “Discworld.exe” and then load
into memory
- Virus will attempt to locate machines across the
network and connect with them in order to infect them
– Virus will attempt to connect with target
systems using the Administrator account and a hard-coded
dictionary of passwords
- Virus uses the imports “WNetAddConnection2A”,
“NetScheduleJobAdd” and “NetRemoteTOD”
as a means to connect with, install and initiate the
virus on systems remotely
- Virus may terminate these programs if they are
running as a means to hide its activities –
NETSTAT.EXE
TASKMGR.EXE
MSCONFIG.EXE
REGEDIT.EXE
- Virus may connect to an IRC channel and network
and await instructions from a hacker or group of hackers
- Virus may modify the registry to load at Windows
startup –
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
"winsockdriver" = Discworld.exe me winsockdriver DiscWorld iroffer v1.2b13 [November 10th, 2001] By PMG, http://iroffer.org/ - CYGWIN_NT-5.0 1.3.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"winsockdriver" = Discworld.exe me winsockdriver DiscWorld iroffer v1.2b13 [November 10th, 2001] By PMG, http://iroffer.org/ - CYGWIN_NT-5.0 1.3.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS. Update\
"bla" = (high ASCII characters)