Win32/Phorpiex [Threat Name] go to Threat
Win32/Phorpiex.C [Threat Variant Name]
| Category | worm |
| Size | 107998 B |
| Detection created | Feb 10, 2016 |
| Detection database version | 13009 |
| Aliases | Trojan:Win32/Dorv.C!rfn (Microsoft) |
Short description
Win32/Phorpiex.C is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely.
Installation
When executed, the worm copies itself in some of the the following locations:
- %windir%\M-505045058025025030484340240\winmgr.exe
- %userprofile%\M-505045058025025030484340240\winmgr.exe
- %temp%\M-505045058025025030484340240\winmgr.exe
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Microsoft Windows Manager" = "%malwareinstallfilepath%"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Microsoft Windows Manager" = "%malwareiinstallfilepath%"
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend]
- "Start" = 4
This disables the Windows Defender service.
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%malwareiinstallfilepath%" = "%malwareiinstallfilepath%:*:Enabled:Microsoft Windows Manager"
The performed data entry creates an exception in the Windows Firewall program.
After the installation is complete, the worm deletes the original executable file.
The worm terminates its execution if it detects that it's running in a specific virtual environment.
Worm quits immediately if it detects loaded module within its own process containing one of the following strings in its name:
- SBIEDLL.DLL
- SBIEDLLX.DLL
- VBOXHOOK.DLL
- WPESPY.DLL
- VMCHECK.DLL
- DIR_WATCH.DLL
Spreading
The worm searches local drives for files with the following file extensions:
- .exe
- .zip
- .rar
Only following folders are searched:
- *\public_html\
- *\htdocs\
- *\httpdocs\
- *\wwwroot\
- *\ftproot\
- *\share\
- *\income\
- *\upload\
When the worm finds a file matching the search criteria, it overwrites its content.
The worm may replace these files with a copy of itself.
Spreading on removable media
Win32/Phorpiex.C is a worm that spreads via removable media.
The worm creates the following files:
- %drive%\l.jpg
- %drive%\Manager.js (78 B, Win32/Phorpiex.C)
- %drive%\DeviceManager.bat (Win32/Phorpiex.C)
- %drive%\.lnk (257 B)
The following file is dropped in the same folder:
- autorun.inf (7299 B, INF/Autorun.T)
The AUTORUN.INF file contains the path to the malware executable.
Thus, the worm ensures it is started each time infected media is inserted into the computer.
The worm moves the following files (source, destination):
- %drive%\*, %drive%\_\*
It avoids files with the following filenames:
- Manager.bat
- Manager.js
- DeviceManager.bat
- autorun.inf
- l.jpg
- .lnk
- _
Information stealing
The worm collects the following information:
- operating system version
- language settings
The worm attempts to send gathered information to a remote machine.
Other information
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of (18) URLs. The TCP, IRC protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- perform DoS/DDoS attacks
- uninstall itself