Installation
When run, the worm creates a mutex named "J9Zf6Fe67fZTFt" to ensure that only one copy of the worm is running at any one time.
It copies itself as %ALLUSERPROFILE%\Microsoft-Driver-1-82-8475-5627-5645\winrsvn.exe, then runs this copy.
It makes the following changes to the registry to ensure its copy runs at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "Microsoft® Update Service"
With data: "%ALLUSERSPROFILE%\Microsoft-Driver-1-82-8475-5627-5645\winrsvn.exe"
Spreads via…
Removable drives
The worm enumerates drives on your computer, looking for removable drives that are not A: and B:. If it finds any, it makes a copy of itself, such as the following, with 'hidden' and 'system' file attributes:
It then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
If the worm finds any folders on the removable drive, it sets the 'hidden' attribute for those and creates a shortcut file with the name of the folder. THis shortcut file points to another worm copy stored in a hidden folder. For example, if the worm finds "<Drive>:\MyFolder", it creates "<Drive>:\MyFolder.lnk", which points to a hidden copy of the worm, for example, "<Drive>:\589485658\MyFolder.exe".
Windows Live Messenger
Worm:Win32/Phorpiex.A checks to see if Windows Live Messenger is installed on your computer. If found, it sends a message to all of your Live Messenger contacts containing a URL. The URL points to a worm copy.
The message can be one of several different phrases, and is dependent on the locale and system language of the infected computer. Some examples of the message can be seen below:
- In English:
tell me what you think of this picture i edited
this is the funniest photo ever!
tell me what you think of this photo
t think i will ever sleep again after seeing this photo
i cant believe i still have this picture of you from last winter
should i make this my default picture?
my parents are going to kill me if they find this picture
- In French:
Je ne pense pas que je vais pouvoir dormir après avoir vu ces photos.
Je n' arrive pas a croire que j'ai encore cette photo de toi depuis l hiver dernier.
Devrais-je mettre cette photo de profile?
Cest la photo la plus marrante!
Dis moi ce que tu pense de cette photo de moi?
Mes parents vont me tués si ils trouvent cette photo
- In Spanish:
Creo que no voy a poder dormir más despues de ver esta foto. Mirá.
Quedaría bien si pongo esta foto en mi perfil? O me veo medio mal?
Esta foto es graciosísima! Que decis?
Mis padres me van a matar si ven esta foto mia, que decis?
Mira como saliste en esta foto jajaja
- In German:
hab ich dir das foto schon gezeigt?
das foto solltest du wirklich sehen
schau mal das foto an
unglaublich welche fotos leute von sich machen schau mal
so will ich nicht aussehen wenn ich alt bin
kennst du die person aufm foto?
kennst du das foto schon?
die sieht aus wie angela merkel
wer zum teufel ist das auf diesem foto
- In Romanian:
Spune-mi ce crezi despre poza asta.
Asta e ce-a mai funny poza!Tu ce zici?
Zimi ce crezi despre poza asta?
Nu cred ca voi mai putea dormi dupa ce am vazut poza asta. Tu ce zici?
Nu imi mai voi face niciodat poze!! Toate ies urate ca asta
- In Italian:
ti piace la foto?
hai visto questa foto?
ti ricordi la Foto?
dopo che hai visto la foto, tu non dormirai piu
conosci la persona in questa foto?
chi e in questa foto?
Payload
Changes security settings
The worm changes your computer's security settings by making changes to the registry; by doing so, it adds itself to the list of trusted processes that are authorized to access your network.
Allows backdoor access and control
The worm tries to connect to the following IRC servers via TCP port 5500, join a channelm and wait for commands:
Using this backdoor, an attacker can perform a number of actions on your computer, including the following:
- Remove itself
- Download and run arbitrary files
- Spread via Windows Live Messenger
- Perform a Denial of Service attack (using SYN flooding) on a specific target
Analysis by Ray Roberts
