Win32/Phorpiex [Threat Name] go to Threat

Win32/Phorpiex.C [Threat Variant Name]

Category worm
Size 107998 B
Aliases Trojan:Win32/Dorv.C!rfn (Microsoft)
Short description

Win32/Phorpiex.C is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely.


When executed, the worm copies itself in some of the the following locations:

  • %windir%\­M-505045058025025030484340240\­winmgr.exe
  • %userprofile%\­M-505045058025025030484340240\­winmgr.exe
  • %temp%\­M-505045058025025030484340240\­winmgr.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Windows Manager" = "%malwareinstallfilepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Windows Manager" = "%malwareiinstallfilepath%"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­WinDefend]
    • "Start" = 4

This disables the Windows Defender service.

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%malwareiinstallfilepath%" = "%malwareiinstallfilepath%:*:Enabled:Microsoft Windows Manager"

The performed data entry creates an exception in the Windows Firewall program.

After the installation is complete, the worm deletes the original executable file.

The worm terminates its execution if it detects that it's running in a specific virtual environment.

Worm quits immediately if it detects loaded module within its own process containing one of the following strings in its name:


The worm searches local drives for files with the following file extensions:

  • .exe
  • .zip
  • .rar

Only following folders are searched:

  • *\­public_html\­
  • *\­htdocs\­
  • *\­httpdocs\­
  • *\­wwwroot\­
  • *\­ftproot\­
  • *\­share\­
  • *\­income\­
  • *\­upload\­

When the worm finds a file matching the search criteria, it overwrites its content.

The worm may replace these files with a copy of itself.

Spreading on removable media

Win32/Phorpiex.C is a worm that spreads via removable media.

The worm creates the following files:

  • %drive%\­l.jpg
  • %drive%\­Manager.js (78 B, Win32/Phorpiex.C)
  • %drive%\­DeviceManager.bat (Win32/Phorpiex.C)
  • %drive%\­.lnk (257 B)

The following file is dropped in the same folder:

  • autorun.inf (7299 B, INF/Autorun.T)

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

The worm moves the following files (source, destination):

  • %drive%\­*, %drive%\­_\­*

It avoids files with the following filenames:

  • Manager.bat
  • Manager.js
  • DeviceManager.bat
  • autorun.inf
  • l.jpg
  • .lnk
  • _
Information stealing

The worm collects the following information:

  • operating system version
  • language settings

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (18) URLs. The TCP, IRC protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • uninstall itself

Please enable Javascript to ensure correct displaying of this content and refresh this page.