Win32/Phorpiex is a family of worms that spread via removable drives and IM (instant messaging) software. The worms also allow backdoor access and control.
Installation
You may have been infected by Win32/Phorpiex by connecting your computer to an already-infected removable drive, or from clicking a link in an IM window sent to you by an infected computer.
When run, variants of Win32/Phorpiex copy themselves to a folder in the %USERPROFILE% directory, for example:
%USERPROFILE%\M-1-52-5782-8752-5245
Note: %USERPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default location for the User Profile folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>" or "C:\Users\<user>". For Windows Vista, 7, and 8, the default location is "C:\Users\<user name>".
The name of the folder changes from installation to installation of the worm.
Variants of Win32/Phorpiex have been observed to use the following file names when copying themselves:
- windsrcn.exe
- winmgr.exe
- winsam.exe
- winsam.exe
- winsrvc.exe
- winsvc.exe
The worm creates a registry entry to ensure that its copy runs at each Windows start, for example:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows Update"
With data: "%USERPROFILE%\M-1-52-5782-8752-5245\winsvc.exe"
Spreads via...
Removable drives
Variants of Win32/Phorpiex search for the presence of removable drives with a drive letter other than A: or B:.
If the worm finds a removable drive, it searches for any folders within the drive, sets that folder to "HIDDEN" and then creates a shortcut file that uses the folder's name and icon. The shortcut links to a copy of itself that the worm created in a separate hidden folder. It does this for all folders it finds on the drive.
The name, lack of an extension, and the use of the folder's icon are all designed to mislead you into thinking the worm is actually a folder, in the hopes that you will attempt to "open" that folder, and instead inadvertently run the worm.
In the pictured example below, the worm finds the removable drive, "G:". It then locates the folders "first", "second" and "third" in the drive.
The worm creates the folder "G:\84612795", and copies itself into it as "first.exe", "second.exe" and "third.exe". It then sets the folders "first", "second", "third" and "84612795" to "HIDDEN".
The worm creates three shortcut files (LNK) to its copies, using the same names as the three folders, "first.lnk", "second.lnk" and "third.lnk". It uses a folder icon for their icons, and removes the ".lnk" extension.
In this way, the worm intends for you to be lured in to "opening" what appear to be normal folders but are in fact shortcuts to the worm, which will then run.
Variants of Win32/Phorpiex also place an "autorun.inf" file in the root directory of the targeted drive, which may be detected as Worm:Win32/Autorun!inf.
Such "autorun.inf" files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
It should be noted that "autorun.inf" files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.
Instant messaging software
Via their backdoor functionality, Win32/Phorpiex variants can be instructed to spread either themselves or other malware via IM software. When instructed to do so, the worm checks if any of the following applications are running on your computer:
- AIM
- Google Talk
- ICQ
- Paltalk
- Windows Live Messenger
- Xfire chat
If found, the worm randomly selects and posts a message, using the running IM software. The message is written in the language that is associated with your computer's location or region, and contains a link to the worm or other malware.
The following are some examples of the messages:
Arabic:
Armenian:
Belarusian and Ukrainian:
- подивися на цю фотографію
Bulgarian:
Chinese:
Dutch:
- ken je dat foto nog?
- kijk wat voor een foto ik heb gevonden
- ik hoop dat jij het net bent op dit foto
- ben jij dat op dit foto?
- dit foto zal je echt eens bekijken!
- ken je dit foto al?
English:
- tell me what you think of this picture i edited
- this is the funniest photo ever!
- tell me what you think of this photo
- i don't think i will ever sleep again after seeing this photo
- i cant believe i still have this picture
- should i make this my default picture?
German:
- wie findest du das foto?
- hab ich dir das foto schon gezeigt?
- schau mal das foto an
- schau mal welches foto ich gefunden hab
- bist du das auf dem foto?
- kennst du das foto schon?
Greek:
Hebrew:
Italian:
- ti piace la foto?
- hai visto questa foto?
- la foto e grandiosa!
- ti ricordi la Foto?
- conosci la persona in questa foto?
- chi e in questa foto?
Japanese:
Korean:
Latvian:
Lithuanian:
Maltese:
- iħares lejn dan ir-ritratt
Portuguese:
Romanian:
- nu imi mai voi face niciodat poze!! toate ies urate ca asta.
- spune-mi ce crezi despre poza asta.
- asta e ce-a mai funny poza! tu ce zici?
- zimi ce crezi despre poza asta?
Russian:
- подивися на цю фотографію
Spanish:
- creo que no voy a poder dormir más despues de ver esta foto. mirá.
- esta foto es graciosísima! que decis?
- mis padres me van a matar si ven esta foto mia, que decis?
- mira como saliste en esta foto jajaja
Thai:
Payload
Allows backdoor access and control
Win32/Phorpiex attempts to connect to an IRC server, join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on your computer. This could include the following actions:
- Join a particular IRC channel
- Download and execute arbitrary files
- Spread the worm or other malware via IM software
- Perform a denial of service attack on a specified target
- Remove the worm from your computer
Changes firewall settings
The malware adds itself to the list of applications that are authorized to access the Internet without being stopped by the firewall, by making modifications to your computer's registry.
Related encyclopedia entries
Worm:Win32/Autorun!inf
Analysis by Ray Roberts
