Classification

Category :

Malware

Type :

Worm

Aliases :

Warpigs.B, W32/Warpigs.B, W32/Warpi.worm, W32.HLLW.Warpigs.B

Summary

Warpigs.B is a network worm with an IRC backdoor and self-updating capabilities. Warpigs.B was written in Visual C++ and it spreads in UPX packed form with the size of around 67KB.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Network spreading

Warpigs.B contains a really long password list with more than 1600 entries.

The worm uses these when scanning for vulnerable hosts. If any of the passwords gives access to the victim the worm copies itself there.

Warpigs.B has a copy of the psexec.exe tool in its body. Psexec is used to copy and run the worm on vulnerable hosts.

System infection

When Warpigs.B enters a system it copies itself to the System Directory as 'winupdate.exe'. It add references to this copy in the registry as:

'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\windowsupdate'
 

and

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windowsupdate'
 

The infected copy is also added to system.ini as:

[Boot]
Shell=explorer winupdate.exe
 

With these modifications the worm makes sure that it will be started everytime the computer is started.

When scanning for vulnerable remote systems the worm drops a UPX packed copy the popular network tool psexec.exe. This file is dropped to the System Directory as 'pqonwe.exe'.

Backdoor

Warpigs.B is built around an IRC controlled backdoor component. The backdoor provides a remote attacker with full control over the infected machine.

When the worm is started the backdoor component connects to a predefined IRC channel. The IRC server this worm uses listens on port 5000 instead of the usual 6667 like other IRC servers.

The backdoor has a command for updating the worm from a predefined website. The website is not reachable at this point anymore.

Removal

F-Secure has created a special disinfection tool for this worm. F-Warpigs kills the running copy of the worm from the memory, removes the infected files and reverts the configuration changes the worm had made.

The F-Warpigs tool is available for download from:

ftp://ftp.f-secure.com/anti-virus/tools/f-warpigs.zip