NAME: Warpigs.B
ALIAS: W32/Warpigs.B, W32/Warpi.worm, W32.HLLW.Warpigs.B
Warpigs.B is a network worm with an IRC backdoor and self-updating capabilities. Warpigs.B was written in Visual C++ and it spreads in UPX packed form with the size of around 67KB.
Network spreading
Warpigs.B contains a really long password list with more than 1600 entries. The worm uses these when scanning for vulnerable hosts. If any of the passwords gives access to the victim the worm copies itself there. Warpigs.B has a copy of the psexec.exe tool in its body. Psexec is used to copy and run the worm on vulnerable hosts.
System infection
When Warpigs.B enters a system it copies itself to the System Directory as 'winupdate.exe'. It add references to this copy in the registry as
'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\windowsupdate'
and
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowsupdate'
The infected copy is also added to system.ini as
[Boot]
Shell=explorer winupdate.exe
With these modifications the worm makes sure that it will be started everytime the computer is started.
When scanning for vulnerable remote systems the worm drops a UPX packed copy the popular network tool psexec.exe. This file is dropped to the System Directory as 'pqonwe.exe'.
Backdoor
Warpigs.B is built around an IRC controlled backdoor component. The backdoor provides a remote attacker with full control over the infected machine.
When the worm is started the backdoor component connects to a predefined IRC channel. The IRC server this worm uses listens on port 5000 instead of the usual 6667 like other IRC servers.
The backdoor has a command for updating the worm from a predefined website. The website is not reachable at this point anymore.