Piggi

System Infection

Upon execution, Piggi.A creates the following registry entries so as to start automatically with Windows:

• [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] top\worm = [malware's path and filename]
• [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] SvcHost = "C:\WINDOWS\system32\svchost.exe:svchost.exe"

It also drops a file named msfsr.sys in the Windows system directory and another random .sys file on C:\WINDOWS\system32\drivers\ and starts them as a service.

These are the registry keys for the services Piggi.A creates:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msfsr
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random_name]

It will also copy itself to "C:\Program Files\Internet Explorer\iexplore.exe". The original iexplore.exe will be moved to the folder:

• C:\WINDOWS\system32\dllcache\

It also creates copies of itself to folders with the following strings:

• BearShare
• Collections
• Downloads
• my shared folder
• share
• shared
• upload
• uploads

The filename is any of the following:

• 10,000 B.C.
• 28 Weeks Later
• 30 Days of Night
• 30 Rock season 2
• Across the Universe
• Age of Conan-Hyborian Adventures
• Alpha Dog
• American Gangster
• Angel-A
• Angelina Jolie(unseen)
• Are We Done Yet?
• Atonement
• August Rush
• Balls of Fury
• Because I Said So
• Beowulf
• Black Book
• Blades of Glory
• Breach
• Britney Spears(unseen)
• Brother & Sisters season 2
• Captivity
• Carmen Electra(unseen)
• Command & Conquer 3-Tiberium Wars
• Company of Heroes
• Criminal Minds - next season
• CSI-London
• Dallas
• Dancing with the Stars - next season
• Death at a Funeral
• Delta Farce
• Desperados 2-Cooper's Revenge
• Desperate Housewives - next season
• Disturbia
• Dragon Age
• Dreamfall-The Longest Journey
• Dungeons & Dragons Online-Stormreach
• Eastern Promises
• El Cantante
• Elder Scrolls IV-Oblivion
• Enchanted
• Enemy Territory-Quake Wars
• Epic Movie
• Evening
• Fantastic Four 2
• Final Fantasy XIV
• Firehouse Dog
• Fly Me to the Moon
• Foodfight!
• Fracture
• Fragile
• Freedom Writers
• Full Auto 2-Battlelines
• Full of It
• Gears of War
• Ghost Recon-Advanced Warfighter
• Gilmore Girls season 8
• God Grew Tired of Us
• Gran Turismo HD
• Grand Theft Auto IV
• Grind House
• Guild Wars-Factions
• Hairspray
• Half-Life 2-Aftermath
• Halloween
• Hannibal Rising
• Hellgate-London
• Heroes of Might & Magic V
• Hilary Duff(unseen)
• His Dark Materials-The Golden Compass
• Horton Hears a Who
• Hostel 2
• Hot Fuzz
• Hot Rod
• In the Land of Women
• Inkheart
• Iron Man
• Jennifer Lopez(unseen)
• Jessica Alba(unseen)
• Jessica Simpson(unseen)
• Journey 3-D
• Jumper
• Kidnapped season 2
• Kingdom Hearts 2
• Kung Fu Panda
• La Vie en Rose
• Lucky You
• Lust, Caution
• Master of Time and Space
• Metal Gear-Subsistence
• Metroid Prime Hunters
• No Reservations
• Ocean's Thirteen
• Offside
• Okami
• Opus-The Last Christmas
• Pamela Anderson(unseen)
• Paris Hilton(unseen)
• Pathfinder
• Perfect Stranger
• Pride
• Pride & Glory
• Prison Break season 3
• Prom Night (2007)
• Rainbow Six-Vegas
• Red Steel
• Reservation Road
• Resistance-Fall of Man
• Rise of Nations-Rise of Legends
• Rocket Science
• Rogue
• Romeo & Juliet-Sealed with a Kiss
• S.T.A.L.K.E.R.-Shadow of Chernobyl
• Scrubs - next season
• Seven Day Itch
• Severance
• Shoot 'Em Up
• Shooter
• Skinwalkers
• Slow Burn
• Smokin' Aces
• South Park season 11
• Southland Tales
• Splinter Cell Essentials
• Splinter Cell-Double Agent
• Spring Breakdown
• Standoff season 2
• Star Trek-Legacy
• Star Wars-Empire at War
• Starcraft-Ghost
• Stardust
• Stomp the Yard
• Strange Wilderness
• Strangers
• Sunshine
• Super Bad
• Supreme Commander
• Surf's Up
• Talk to Me
• The Assassination of Jesse James
• The Astronaut Farmer
• The Dark Is Rising
• The Flock
• The Half Life of Timofey Berezin
• The Hitcher
• The Hoax
• The Host
• The Ice at the Bottom of the World
• The Invasion
• The Invisible
• The Kingdom
• The Last Legion
• The Last Sin Eater
• The Lives of Others
• The Lord of the Rings-The Battle for Middle-earth II
• The Messengers
• The Namesake
• The Nine season 2
• The Number 23
• The OC season 5
• The Office season 4
• The Reaping
• The Simpsons
• The Spiderwick Chronicles
• The Transformers
• The TV Set
• The Ultimate Gift
• The Valet
• The Waterhorse
• This Christmas
• Til Death season 2
• Too Human
• Trade
• Trick 'r Treat
• Ugly Betty season 2
• Underdog
• Untraceable
• Vacancy
• Vanguard Saga of Heros
• Vantage Point
• Veronica Mars - next season
• Vista
• Vista Ultimate
• Whisper
• Wild Hogs
• Without a Trace - next season
• Wonder Woman
• World of Warcraft-The Burning Crusade
• Zodiac

The file name includes any of the following extensions:

• - Full.exe
• - Keygen.exe
• .avi.com
• .iso.exe
• .mp4.com
• .zip.exe

Examples:

• Half-Life 2-Aftermath.avi.com
• World of Warcraft-The Burning Crusade - Keygen.exe
• World of Warcraft-The Burning Crusade.mp4.com

Stops Antivirus Services

Piggi.A also stops running antivirus services with the following names:

• McShield
• navapsvc
• SymAppCor

Then copies itself to the following folders:

• C:\Program Files\McAfee.com\Agent\mcupdate.exe
• C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
• C:\Program Files\Symantec\LiveUpdate\LUALL.EXE

This is to ensure that these antivirus applications cannot perform an automatic update.

Rootkit Capability

This malware hides its own process and files using two kernel-mode drivers.

These are:

• msfsr.sys - dropped in the Windows system directory and run as service. This creates a device, so that user-mode can communicate with it and allows the user-mode component to hide any process_id it wants.
• [random_name].sys - dropped in %windir%\system32\drivers\ and run as service. This hides any files that are defined in the created c:\zyxwvuts.log file. Below is an example of the string inside the said file:
  • file:zyxwvuts
  • file:msfsr
  • file:[random_name]
  • file:wor

Spreading via email

The worm collects email addresses from the infected computer. It locates the WAB (Windows Address Book) file and Temporary Internet files. The following are the details:

The worm sends itself as attachment to the gathered email addresses using the following format:

• TO:
  • [Gathered email address]
• FROM:

  The From field may use any of these addresses:

  • updates@McAfee.com
  • updates@Microsoft.com
  • updates@Symantec.com
• They may use any of these domain names:
  • aol.com
  • hotmail.com
  • msn.com
  • yahoo.com
• SUBJECT:
  • Data format error.
  • Destination host is not responding.
  • Mail quota exceeded.
  • Mail transaction failed.
  • Mail transaction failed. Data format error.
  • Mail transaction failed. Mail quota exceeded.
  • Mail transaction failed. Message is too large.
  • Mail transaction failed. Partial message is available.
  • Mail transaction failed. Service unavailable.
  • Mail transaction failed. Session aborted.
  • Message is too large.
  • Network failure.
  • Service unavailable.
  • The subject may use any of the following strings:
  • Your message could not be delivered.
  • Your message is undeliverable.
  • Your message was not delivered.
• ATTACHMENT:

  The filenames of the attachment may contain any of these strings:

  • Alien vs. Predator 2
  • Angelina Jolie
  • Assassin
  • attachment
  • Auto Assault
  • BioShock
  • Britney Spears
  • Carmen Electra
  • casino
  • Command & Conquer 3: Tiberium Wars
  • Crysis
  • CSI: London
  • details
  • document
  • Dragonball
  • Dungeons & Dragons Online: Stormreach
  • Enemy Territory: Quake Wars
  • Extreme Ghouls n' Ghosts
  • Final Fantasy XIII
  • Full Auto
  • Full Auto 2: Battlelines
  • gaming
  • Ghost Recon: Advanced Warfighter
  • Ghost Rider
  • Grey's Anatomy - next season
  • Half-Life 2: Aftermath
  • Halo 3
  • Hellgate: London
  • Heroes season 2
  • Hilary Duff
  • Huxley
  • Indiana Jones 4
  • instructions
  • Jennifer Lopez
  • Jericho season 2
  • Jessica Alba
  • Jessica Simpson
  • Killzone PS3
  • letter
  • Live Free or Die Hard
  • Lost season 4
  • message
  • Metal Gear: Subsistence
  • myspace
  • myspacedetails
  • Neverwinter Nights 2
  • onlinecasino
  • onlinegaming
  • onlinepoker
  • Pamela Anderson
  • Paris Hilton
  • poker
  • pokerstrategy
  • pokertechnique
  • Premonition
  • Pursuit Force
  • Rainbow Six: Vegas
  • readme
  • Resident Evil 3
  • Resident Evil 5
  • Resistance: Fall of Man
  • Rush Hour 3
  • s Creed
  • Shark season 2
  • Six Degrees season 2
  • Smith season 2
  • Spider-Man 3
  • Splinter Cell: Double Agent
  • Spore
  • Star Trek: Legacy
  • Star Wars: Empire at War
  • Starcraft: Ghost
  • Studio 60 on the Sunset Strip season 2
  • Tekken
  • Terminator 4
  • The Hills Have Eyes II
  • transcript
  • Unreal Tournament 2007
  • Virtua Fighter 5
  • Warhammer Online Age Of Reckoning
  • your bank account details
  • your financial details
  • your financial information
  • your personal details
  • your personal information
  • your SSN etc
  • your tax returns
  • yourmyspacedetails
  • yoursite
  • yourwebsite
  • yousite
  • youtube-you
• With any of the following extensions:
  • .gif
  • .html
  • .jpeg
  • .mp3
  • .rtf
  • .txt
  • .wav
  • .wma
• Example:
  • Half-Life 2: Aftermath.gif
  • Neverwinter Nights 2.wav
  • Star Wars: Empire at War.jpeg
• BODY:

  This malware uses a pool of strings to search and combine to create the body of the email. The following are some of the strings that can be found in the email's body:

  • [Hi | Hello]
  • [We discovered this | I discovered this | We saw this | We found this | I saw this | I found this]
  • [shot | picture | photo]
  • (attached) of you on
  • [Flickr. | the web. | the net. | somebody's blog. | a web site.]
  • [Maybe you should | You should | You have to | I think you should | You need to]
  • [open it | see it | look at it]
  • [straight away. | right now. | immediately.]
  • [That's unnatural! | That's offensive! | That shouldn't be allowed! | That's disgusting! | I can't believe you would publish that yourself. | That should be private! | You shouldn't be doing that. | I can't believe you would do that. | I can't believe that is you.]
  • [Maybe you should | You should | You have to | I think you should | You need to]
  • [incredible | amazing | unbelievable | totally | completely]
  • [free offer | free deal]
  • [on a web site. | on the web. | on the net.]
  • [A free | This is a limited time | This is a limited | This is a one time | This is a once only]
  • [deal. | offer.]
  • [A | A brand new | Your own]
  • [laptop | Sat Nav | MP3 player | plasma TV | LCD TV | notebook | digital camera | cell phone | Nokia cell phone | iRiver Clix | Sony PSP | Nintendo DS Lite | Creative Zen V Plus | Creative Zen Vision:M | Sony Laptop | Apple MacBook Pro | Toshiba Gigabeat | iPod | Motorola Q cell phone | Canon PowerShot | Microsoft Zune |Sony PlayStation 3 | Nintendo Wii | Vista upgrade]
  • [completely free | totally free | for nothing | for free]
  • [Instructions attached. | Details attached. | Just open the attachment for details. | Look at the attachment. | See the attachment.]

Below are examples of the the possible string combinations that can be found in the body of the email:

• Hello, I found this picture (attached) of you on somebody's blog. Maybe you should look at it straight away. I can't believe you would publish that yourself.

• Hi, I saw this amazing free deal on the web. This is a one time offer. Your own Nintendo Wii totally free. Just open the attachment for details.

Other

Piggi.A also continues queries to the site mi5.gov.uk.

This malware comes packed with Yoda Protector 1.03.3