Win32/Serpip [Threat Name] go to Threat

Win32/Serpip.A [Threat Variant Name]

Category virus
Detection created Jul 10, 2012
Detection database version 7286
Aliases Worm.Win32.Fipp.a (Kaspersky)
  Virus:Win32/Morto.A (Microsoft)
  W32.Morto.B (Symantec)
  W32/Pift (McAfee)
Short description

Win32/Serpip.A is a polymorphic file infector.

Installation

When executed, the virus moves the following files (source, destination):

  • %system%\­wmicuclt.exe, %system%\­wmicuclt

The virus creates copies of the following files (source, destination):

  • %system%\­wscript.exe, %system%\­wmicuclt.exe

The virus modifies the following file:

  • %system%\­wmicuclt.exe

The virus writes the program code of the malware into the file.


The virus registers itself as a system service using the following name:

  • Remote Access Connection Service (%system%\­wmicuclt.exe)

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­360rp]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­zhudongfangyu]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­ekrn]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­MsMpSvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­avp]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­V3 Service]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­AntiVirService]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­a2AntiMalware]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­FSORSPClient]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­FSMA]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­F-Secure Gatekeeper Handler Starter]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­kxescore]
    • !Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­kxesapp]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­AVGwd]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­AVGIDSAgent]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­NIS]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­avast! Antivirus]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­vsserv]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­mcshield]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­mcods]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­amsp]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­RsRavMon]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­SavService]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­PavFnSvr]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­pavsrv]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­System\­Select]
    • "v" = %malwarebody%
    • "plg" = "%variable1%"
    • "ext" = "%variable2%"
    • "tst" = "%variable3%"
    • "pu" = "%user%-%domain%"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­SafeBoot\­Minimal\­wmicucltsvc]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­Windows]
    • "NoPopUpsOnBoot" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­Windows Error Reporting]
    • "DontshowUI" = 1
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­wmicucltsvc]
    • "Type" = 32
    • "Start" = 2
    • "ImagePath" = "%system%\­wmicuclt.exe"
    • "DisplayName" = "Remote Access Connection Service"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Stores security information for local user accounts."
    • "WOW64" = "%variable4%"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­wmicucltsvc\­Security]
    • "Security" = "%variable5%"

A string with variable content is used instead of %variable1-5% .


The virus creates and runs a new thread with its own program code within the following processes:

  • svchost.exe
  • lsass.exe
Executable file infection

Win32/Serpip.A is a polymorphic file infector.


The virus searches fixed drives for executable files to infect. It also infects files stored on removable and network drives.


The virus searches for files with the following file extensions:

  • .exe

It avoids files which contain any of the following strings in their path:

  • windows
  • winnt
  • qq
  • Outlook
  • System Volume Information
  • RECYCLER
  • Internet Explorer
  • Movie Maker
  • Messenger
  • Common Files
  • Microsoft

Executables are infected by appending the code of the virus to the last section.


The size of the inserted code is 47 KB .


The host file is modified in a way that causes the virus to be executed prior to running the original code.


The virus inserts the following text/marker into the header of the infected executable files:

  • PPIF

The marker is used to determine whether the file is already infected or not.

Spreading

Win32/Serpip.A is a virus that spreads via shared folders.


The virus tries to copy itself into shared folders of machines on a local network.


The following usernames are used:

  • administrator
  • admin
  • user
  • test

The following passwords are used:

  • 0
  • 1
  • 3
  • 3.1415926
  • 7
  • 12
  • 110
  • 111
  • 123
  • 369
  • 520
  • 1111
  • 1212
  • 1234
  • 1313
  • 2000
  • 2002
  • 2003
  • 2010
  • 2011
  • 2012
  • 2112
  • 2222
  • 2600
  • 3333
  • 4128
  • 4321
  • 4444
  • 5150
  • 5555
  • 6666
  • 6969
  • 7777
  • 11111
  • 12345
  • 54321
  • 100200
  • 110110
  • 111111
  • 111222
  • 112233
  • 112358
  • 121212
  • 123123
  • 123321
  • 123456
  • 123654
  • 131313
  • 147258
  • 159357
  • 168168
  • 198612
  • 201314
  • 211314
  • 222222
  • 232323
  • 333333
  • 520520
  • 521521
  • 555555
  • 654321
  • 666666
  • 696969
  • 777777
  • 789456
  • 888888
  • 987654
  • 999999
  • 1111111
  • 1234567
  • 1314520
  • 1314521
  • 5201314
  • 5211314
  • 7758258
  • 7758521
  • 7777777
  • 11111111
  • 11223344
  • 12344321
  • 12345678
  • 20070315
  • 22222222
  • 31415926
  • 77777777
  • 88888888
  • 123123123
  • 123456789
  • 147258369
  • 987654321
  • 1234567890
  • 1.23321E+12
  • !@#$
  • !@#$%
  • !@#$%^
  • !@#$%^&*
  • !@#$%^&*()
  • !@#123
  • !@#123456
  • !password!
  • %u%
  • %u%1
  • %u%111111
  • %u%12
  • %u%123
  • %u%1234
  • %u%123456
  • 123!@#
  • 123456!@#
  • 1234qwer
  • 123abc
  • 123asd
  • 123pass
  • 123qaz456wsx
  • 123qwe
  • 1pass
  • 1q2w3e
  • 1QAZ
  • 1qaz2wsx
  • a
  • aaa
  • aaaa
  • aaaaaa
  • abc
  • abc123
  • abcd
  • abcd1234
  • access
  • adm1n
  • admin
  • Admin
  • admin!@#
  • admin!@#123
  • admin123
  • adminadmin
  • admini
  • administrator
  • alpha
  • asdf
  • asdfghjkl
  • baseball
  • batman
  • computer
  • database
  • dragon
  • enable
  • fangyou
  • foobar
  • football
  • fuck
  • fuckme
  • god
  • godblessyou
  • harley
  • home
  • hunter
  • ihavenopass
  • iloveyou
  • Internet
  • iwantu
  • jennifer
  • jordan
  • killer
  • letmein
  • login
  • Login
  • love
  • master
  • michael
  • mima
  • monkey
  • mustang
  • mypass
  • mypass123
  • mypassword
  • mypc
  • mypc123
  • oapass
  • oapassword
  • oracle
  • owner
  • P@ssW0rd
  • pa$$0rd
  • pass
  • pass0rd
  • pass123
  • pass123456
  • pass123word456
  • passpass
  • passwd
  • password
  • PASSWORD
  • Password
  • password1
  • pat
  • patrick
  • pc
  • princess
  • pussy
  • pw123
  • pwd
  • qazwsx
  • qazwsx123456
  • qwer
  • qwerty
  • qwertyuiop
  • ranger
  • robert
  • rock
  • rockyou
  • root
  • sa
  • secret
  • server
  • sex
  • shadow
  • soft
  • super
  • sybase
  • tasklist
  • temp
  • temp123
  • test
  • test123
  • testtest
  • thomas
  • tigger
  • trustno1
  • user
  • user123
  • win
  • windows
  • windows2000
  • windows2003
  • windowsxp
  • woaini
  • woaiwojia
  • xp
  • xxx
  • xxxx
  • xxxxx
  • xxxxxx
  • xxxxxxxx
  • yxcv
  • zxcv
  • zxcvbnm
  • zzzzzz

If it succeeds, the virus creates copies of the following files (source, destination):

  • \­\­%hostname%\­ADMIN$\­system32\­wscript.exe,\­\­%hostname%\­ADMIN$\­system32\­wmicuclt.exe

It infects the following files:

  • \­\­%hostname%\­ADMIN$\­system32\­wmicuclt.exe

The file is then remotely executed.


The virus registers itself as a system service using the following name:

  • Remote Access Connection Service (wmicuclt.exe)
Other information

The virus connects to the following addresses:

  • d.ppns.info
  • e.ppift.net
  • e.ppift.com
  • e.ppift.in

The virus can download and execute a file from the Internet.


The virus may create and run a new thread with its own program code within any running process.


The virus may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "V3 Session Process"
    • "MSC"
    • "F-Secure Manager"
    • "F-Secure TNB"
    • "a-squared"
    • "IKARUS-GuardX"
    • "ShStatEXE"
    • "Sophos AutoUpdate Monitor"
    • "AVP"
    • "AVG_TRAY"
    • "egui"
    • "360sd"
    • "360Tray"
    • "G Data AntiVirusTray Application"
    • "BDAgent"
    • "BitDefender Antiphishing Helper"
    • "avgnt"
    • "kxesc"
    • "Trend Micro Client Framework"
    • "RavTRAY"
    • "APVXDWIN"
  • [HKEY_USERS\­%variable%\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "V3 Session Process"
    • "MSC"
    • "F-Secure Manager"
    • "F-Secure TNB"
    • "a-squared"
    • "IKARUS-GuardX"
    • "ShStatEXE"
    • "Sophos AutoUpdate Monitor"
    • "AVP"
    • "AVG_TRAY"
    • "egui"
    • "360sd"
    • "360Tray"
    • "G Data AntiVirusTray Application"
    • "BDAgent"
    • "BitDefender Antiphishing Helper"
    • "avgnt"
    • "kxesc"
    • "Trend Micro Client Framework"
    • "RavTRAY"
    • "APVXDWIN"

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.