Win32.PiBi.B@mm

( I-Worm.PieceByPiece.B (Red Cell) )

SYMPTOMS:

- files named \"wsysNNN.exe\" and \"w32sysNNN.zip\" in the \"System\" subfolder of the Windows folder (NNN being a random number);
- the registry entry \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Kernel32.dll module\";
- the file C:\\boot64.bin (containing the worm in base64 format);
- modified script.ini file in the mIRC folder;
- one of the following files (aprox. 32 KB in size !) in the shared folders of Kazaa/Morpheus/BearShare/eDonkey2000:
- wmplay9.exe
- wamp3.exe
- winxpserial.exe
- kmd22.exe.

TECHNICAL DESCRIPTION:

The second version of Win32.Pibi.A@mm also spreads by using mass-mailing, IRC and file sharing applications; it was written in Visual C++ and packed with UPX.
It arrives attached to an email message in one of the following formats:
From: (address of infected user)
Subject: Re: hya
Body: Istall the program in the attachment.
Attachment: install.exe
From: \"Microsoft\"
Reply-To: \"Microsoft\"
Subject: WindowsXP Service Release Pack 2.002
Body: Istall the program in the attachment.
Attachment: install.exe
The worm will attempt to terminate the execution of some antivirus programs, by scanning for modules containing one of the following substrings in the name:
AV, F-, av, NOD32, SCAN, MON, ALERT, ANTIVIR, PCCW, PCC, FP-, TRAP, TDS2-, VET, SWEEP, MCAFEE, FIREW, DVP, CFI, ICL, VSHW
When run for the first time, the virus will:
- create the registry entry \"HKLM\\Software\\PieceByPieceB\\inf\" with the value \"yep\";
- make a copy of itself in \\system\\wsysNNN.exe (where NNN is a random number), and create the registry entry \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Kernel32.dll module\" in order for Windows to run that copy at every start-up.
- copy itself (with one of the following names: wmplay9.exe, wamp3.exe, winxpserial.exe, kmd22.exe) in the shared folders of Kazaa, Morpheus, BearShare and eDonkey2000, in order to spread to other users of those file sharing applications;
- create a .zip archive of itself in \\system\\w32sysNNN.zip (if WinZip is installed) and modify script.ini in the mIRC folder in order to send this archive to other users on the chat server (if mIRC is installed); the infected user will also automatically join the #pbpB chat channel;
- create a base64-encoded copy of the worm in C:\\boot64.bin (used for email attachments) and send email messages in the format described above to addresses found by scanning *.htm files in the Temporary Internet Files folder;
- display the following message box:

The worm then calls the RegisterServiceProcess API function in order to hide itself from the list of running tasks (in Windows 9x) and to continue running after the current user logs off the machine. It will once again call the mass-mailing routine, and also set a timer to call that routine every 50 seconds.
On October 18th the virus displays the following lyrics:

Removal instructions:

Manual Removal:
Delete the registry entry and the files described in the Symptomps section; you might have to restart Windows in Safe Mode for this.
Automatic Removal:
Let BitDefender delete infected files.

ANALYZED BY:

Bogdan Dragu
BitDefender Virus Researcher