Worm.Win32.PHORPIEX.AZ

This Worm arrives as attachment to mass-mailed email messages. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

Arrival Details

This Worm arrives as attachment to mass-mailed email messages.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Worm drops and executes the following files:

• %Windows%\T-26207508265082650820840\windrv.exe

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It creates the following folders:

• %Windows%\T-26207508265082650820840

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• [::::_TMLR_::::]

It terminates the execution of the copy it initially executed and executes the copy it drops instead.

Autostart Technique

This Worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Microsoft Windows Driver = %Windows%\T-26207508265082650820840\windrv.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Windows Driver = %Windows%\T-26207508265082650820840\windrv.exe

Other System Modifications

This Worm creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\T-26207508265082650820840\windrv.exe:*:Enabled:Microsoft Windows Driver = %Windows%\T-26207508265082650820840\windrv.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

Other Details

This Worm deletes the initially executed copy of itself

NOTES:
This worm sends email messages containing a copy of itself as an attachment. This worm queries the following mail server to harvest email addresses:

• aol.com

• Uses any of the following strings as subject:
  • Photo
  • Picture
  • My photo
  • My picture
  • Your photo
  • Your picture
  • Our photo
  • Our picture
  • Is this you?
  • Have you seen this photo?
  • Best picture
  • You should take a look
  • Do you know her?
  • Take a look at my new picture please
  • Rate my new photo please
  • My new photo just for you!
  • Keep them private
  • Don't show anyone!
  • She is hot right?
  • What you think about her new picture
  • Lol.. look at her new photo!
  • LOL seen this photo?
  • WOW the best picture!
  • Don't share this one!
  • Just for you!
  • My love for you
  • Please rate my picture
  • Is she hot? Take a look at her
  • Damn I can't get her out my head
  • Someone told me it's you???
  • Keep it secret!
  • Your opinion needed
  • What is your opinion about this?
  • Trumps private photo leaked!
  • Is this good enough for facebook?
  • They will like it?
  • I'm about to post this on facebook
  • Look what has happened last weekend
  • The last party was hardcore
  • How drunk I was last night?
  • And I was really that drunk???
  • WTF is this?! Explain?!
  • Why you took that picture?!
  • I'm about to publish your photo
  • Best photo
  • Best piture
  • My best photo
  • My best picture
  • Your best photo
  • Your best picture
  • Keep this photo private please
  • Please keep this picture private
  • My newest picture
  • I think that's your best photo
  • How can she be so hot???
  • Unbelivable photo
  • My top photo
  • Photo of the party last night
  • Your scan wasn't approved
  • The scan quality is poor
  • Your scan has been approved!
  • The ugliest person in the world?
  • Photo of my new girlfriend
  • Photo of my new boyfriend
  • Rate the new photo of my gf
  • Rate the photo of my new bf
  • In love after seeing your photo
  • Why you shoot photos like that??
  • Next time don't forget about this photo
  • I took this photo of you
  • I took this photo of us
  • I took this photo of your mother
  • You will be shoked!
  • My new look!
  • Time for a change
  • My new hair
  • I think she is clearly retarded
  • Why would someone take such photos?
  • Not even good enough for facebook?Can't be more ugly than that?
  • Ugly as f*!
  • Will you be mad if I upload this?
  • Someone takes photos from you
  • Took photo of you
  • Why you look so ugly here...
  • How you just look so good here?
  • I simply love this photo of you!
  • I love you
  • Took photo just for you
  • You are my new love
  • My new love
  • Check out this photo I took for you!
  • Take a look!
  • Explain this!
  • Why the f* you took such photo?!
• Uses any of the following strings as first name:
  • Adolfo
  • Adolph
  • Adrian
  • Adrian
  • Adriana
  • Adrienne
  • Agnes
  • Agustin
  • Ahmad
  • Ahmed
  • Aida
  • Aileen
  • Aimee
  • Aisha
  • Beulah
  • Beverley
  • Beverly
  • Bianca
  • Bill
  • Billie
  • Billie
  • Billy
  • Blaine
  • Blair
  • Blake
  • Blanca
  • Blanche
  • Bobbi
  • Bobbie
  • Bobby
  • Bonita
  • Bonnie
  • Booker
  • Boris
  • Boyd
  • Brad
  • Bradford
  • Bradley
  • Bradly
  • Brady
  • Deann
  • Deanna
  • Deanne
  • Debbie
  • Debora
  • Deborah
  • Debra
  • Deena
  • Deidre
  • Deirdre
  • Delbert
  • Delia
  • Gilda
  • Gina
  • Ginger
  • Gino
  • Giovanni
  • Gladys
  • Glen
  • Glenda
  • Glenn
  • Glenna
  • Gloria
  • Goldie
  • Gonzalo
  • Gordon
  • Hugh
  • Hugo
  • Humberto
  • Hung
  • Hunter
  • Ignacio
  • Ilene
  • Imelda
  • Imogene
  • Ines
  • Tania
  • Tanisha
  • Tanner
  • Tanya
  • Tara
  • Tasha
  • Taylor
  • Taylor
  • Teddy
  • Terence
  • Teresa
  • Teri
  • Terra
• Uses any of the following strings as last name:
  • Bailey
  • Rivera
  • Cooper
  • Richardson
  • Howard
  • Ward
  • Torres
  • Peterson
  • Gray
  • Ramirez
  • James
  • Baker
  • Gonzalez
  • Nelson
  • Carter
  • Mitchell
  • Perez
  • Roberts
  • Turner
  • Phillips
  • Campbell
  • Parker
  • Evans
  • Edwards
  • Collins
  • Stewart
  • Sanchez
  • Morris
  • Rogers
  • Reed
  • Cook
  • Morgan
  • Bell
  • Murphy
  • Jackson
  • White
  • Harris
  • Martin
  • Thompson
  • Garcia
  • Martinez
  • Robinson
  • Clark
  • Rodriguez
  • Lewis
  • Walker
  • Hall
  • Allen
  • Young
  • Hernandez
  • King
  • Wright
  • Lopez
  • Hill
  • Scott
  • Green
  • Adams
  • Smith
  • Johnson
  • Williams
  • Jones
  • Brown
  • Davis
  • Miller
  • Wilson
  • Moore
  • Taylor
  • Anderson
  • Thomas
  • Watson
  • Brooks
  • Kelly
  • Sanders
  • Price
  • Bennett
  • Wood
  • Barnes
  • Ross
  • Henderson
  • Coleman
  • Jenkins
• Uses the following as attachment file name:
  • {random numbers}.zip