WORM_PHORPIEX.SC
Windows
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via removable drives.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
However, as of this writing, the said sites are inaccessible.
TECHNICAL DETAILS
951,296 bytes
EXE
05 Aug 2015
Arrival Details
This worm arrives via removable drives.
Installation
This worm drops the following copies of itself into the affected system:
- %WINDOWS%\M-505044051024025020107840\winmgr.exe
It creates the following folders:
- %WINDOWS%\M-505044051024025020107840
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Windows Manager = "%WINDOWS%\M-505044051024025020107840\winmgr.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Microsoft Windows Manager = "%WINDOWS%\M-505044051024025020107840\winmgr.exe"
Other System Modifications
This worm creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
"%WINDOWS%\M-505044051024025020107840\winmgr.exe" = "%WINDOWS%\M-505044051024025020107840\winmgr.exe"
Propagation
This worm drops the following copy(ies) of itself in all removable drives:
- Private.exe
- Movies.exe
- Pictures.exe
- Secret.exe
- Documents.exe
- Music.exe
- winmgr.exe
- 505050.exe
- windrv.exe
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
{garbage strings}
[autorun]
{garbage strings}
icon=%SystemRoot%\system32\SHELL32.dll,4
{garbage strings}
action=Open folder to view files
{garbage strings}
shellexecute=windrv.exe
{garbage strings}
UseAutoPlay=1
{garbage strings}
Other Details
This worm connects to the following possibly malicious URL:
- {BLOCKED}0.ru
- {BLOCKED}0.ru
- {BLOCKED}0.ru
- {BLOCKED}0.ru
However, as of this writing, the said sites are inaccessible.