WORM_PHORPIEX.JZ

 Analysis by: Anthony Joe Melgarejo

 ALIASES:

VirTool:Win32/Obfuscator.ACP (Microsoft), Trojan.Win32.Jorik (Ikarus), Win32/Kryptik.AREB (NOD32)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Spammed via email, Propagates via removable drives

This malware spams messages to users using Skype in order to propagate. The spammed messages contain links that lead to an automatic download of the malware itself. This malware also has backdoor routines, which compromises an affected system's security.

To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.

For the related story, you may read the blog post Shylock Not the Lone Threat Targeting Skype

This worm arrives as attachment to mass-mailed email messages. It arrives via removable drives.

It connects to Internet Relay Chat (IRC) servers. It executes commands from a remote malicious user, effectively compromising the affected system.

It deletes itself after execution.

  TECHNICAL DETAILS

File Size:

66,048 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

25 Dec 2012

Payload:

Compromises system security, Connects to URLs/IPs, Downloads files

Arrival Details

This worm arrives as attachment to mass-mailed email messages.

It arrives via removable drives.

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • %User Profile%\6489672321067478425\winsvc.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • g4u5f3dg4f

It terminates the execution of the copy it initially executed and executes the copy it drops instead.

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Windows Update = "%User Profile%\6489672321067478425\winsvc.exe"

Other System Modifications

This worm creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%User Profile%\6489672321067478425\winsvc.exe = "%User Profile%\6489672321067478425\winsvc.exe*:Enabled:Microsoft Windows Update"

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

  • {drive letter}:\843921.exe

Backdoor Routine

This worm connects to any of the following Internet Relay Chat (IRC) servers:

  • {BLOCKED}50.asia
  • {BLOCKED}50.in
  • {BLOCKED}50.pro

It joins any of the following IRC channel(s):

  • #go

It executes the following commands from a remote malicious user:

  • Download and execute arbitrary files

As of this writing, the said servers are currently inaccessible.

Download Routine

This worm saves the files it downloads using the following names:

  • %Application Data%\winsvcns.sys

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Other Details

This worm deletes itself after execution.

NOTES:

This worm creates .LNK (shortcut) files pointing to {drive letter}:\843921.exe in all removable drives using the folder names found in the removable drives.

It then hides the said folders.

This worm sends email messages containing a copy of itself as an attachment.

This worm queries the following mail server to harvest email addresses:

  • gmx.com

The email it sends out has the following characteristics:

  • Uses the following display names:

    Anthony
    Barbara
    Betty
    Brian
    Carol
    Charles
    Christopher
    Daniel
    David
    Deborah
    Donald
    Donna
    Dorothy
    Edward
    Elizabeth
    George
    Helen
    James
    Jason
    Jennifer
    Joseph
    Karen
    Kenneth
    Kevin
    Kimberly
    Laura
    Linda
    Margaret
    Maria
    Michael
    Michelle
    Nancy
    Patricia
    Richard
    Robert
    Ronald
    Sandra
    Sarah
    Sharon
    Steven
    Susan
    Thomas
    William
  • Subject:

    Is this you??
    Picture of you???
    Tell me what you think of this picture
    This is the funniest picture ever!
    I cant believe I still have this picture
    Someone showed me your picture
    Your photo isn't really that great
    I love your picture!
    What you think of my new hair color?
    What do you think of my new hair?
    You look so beautiful on this picture
    You should take a look at this picture
    Take a look at my new picture please
    What you think of this picture?
    Should I upload this picture on facebook?
    Someone told me it's your picture
  • Body:

    hahaha
    ;)
    :D
    :P
    :)
    LOL
    ;D

It uses the following file name for its attachment:

  • IMG{random number}-JPG.zip

It does not have rootkit capabilities.

It does not exploit any vulnerability.

  SOLUTION

Minimum Scan Engine:

9.300

FIRST VSAPI PATTERN FILE:

9.618.02

FIRST VSAPI PATTERN DATE:

26 Dec 2012

VSAPI OPR PATTERN File:

9.619.00

VSAPI OPR PATTERN Date:

27 Dec 2012

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product and note files detected as WORM_PHORPIEX.JZ

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Microsoft Windows Update = "%User Profile%\6489672321067478425\winsvc.exe"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %User Profile%\6489672321067478425\winsvc.exe = "%User Profile%\6489672321067478425\winsvc.exe*:Enabled:Microsoft Windows Update"

Step 5

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • {drive letter}:\843921.exe
  • %Application Data%\winsvcns.sys
  • {drive letter}:\{folder name}.lnk

Step 6

Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_PHORPIEX.JZ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.