Win32.PiBi.A@mm
MEDIUM
LOW
32256 bytes (65-70 KB when unpacked, ~30 KB when ZIP-compressed)
(N/A)
Symptoms
- the registry entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Windows task32 sys" causing a copy of the virus to run at start-up;
- the files "winsysNNN.exe" and "win32sysNNN.zip" in the "System" subfolder of the Windows folder ("NNN" is a random number);
- the file "C:\Msbootlog.sys";
- modified "script.ini" file in the mIRC folder;
- one of the following files (~32 KB in size) in the KaZaA shared folder:
-mirc6.exe
-winamp3.exe
-wincrack.exe
-icq2002.exe
- the files "winsysNNN.exe" and "win32sysNNN.zip" in the "System" subfolder of the Windows folder ("NNN" is a random number);
- the file "C:\Msbootlog.sys";
- modified "script.ini" file in the mIRC folder;
- one of the following files (~32 KB in size) in the KaZaA shared folder:
-mirc6.exe
-winamp3.exe
-wincrack.exe
-icq2002.exe
Removal instructions:
- If you don't have BitDefender installed click here to download an evaluation version;
- Make sure that you have the latest updates using BitDefender Live!;
- Make the following changes in the windows registry:
Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
- Select Run... from Start, then type regedit and press Enter;
- Delete the following keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows task32 sys
HKLM\Software\RedCell\infected
- Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.PiBi.A@mm.
Analyzed By
Bogdan Dragu BitDefender Virus Researcher
Technical Description:
Win32.Pibi.A@mm spreads by sending e-mail messages with the worm attached in executable format, by sending itself (in .zip format) to other IRC users and by tricking KaZaA users to download the worm from infected users. It was written in Visual C++ and packed with UPX.It arrives in an email in one of the following formats:
From: (address of infected user)
Subject:Hello
Body:
You will find all you need in the attachment.
Attachment: setup.exe
From:john@barrysworld.com
Subject: Hello
Body:
You will find all you need in the attachment.
Attachment:setup.exe
From: "Microsoft"
Reply-To:"Microsoft"
Subject:Internet Explorer vulnerability patch
Body:
You will find all you need in the attachment.
Attachment:setup.exe
When executed, the worm:
- attempts to terminate the execution of processes that contain the substring "AV" in the name of one of the modules;
- creates the registry entry HKLM\Software\RedCell\infected with the value "yes";
- copies itself in the "System" subfolder of the Windows folder with the name "winsysNNN.exe" (where NNN is a random number) and creates the registry entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows task32 sys" in order for the copy of the worm to be run at Windows start-up;
- copies itself in the KaZaA shared folder with one of the names described above;
- creates a ZIP archive (named "win32sysNNN.zip") containing the worm in the "System" subfolder of the Windows folder, if WinZip is installed, and changes the mIRC "script.ini" file in order to send the ZIP-compressed virus to other users on the chat server, if mIRC is installed;
- copies the worm body (in Base64 format) in the file "C:\Msbootlog.sys"; this copy will then be used to create email attachments;
- sends email messages (in the format described above) to addresses found in .HTM files in the "Temporary Internet Files" folder; information about the user's email account and SMTP server is read from the registry if possible, otherwise the virus uses a hardcoded email address and SMTP server (john@barrysworld.com / smtp.barrysworld.com); a timer is set to attempt to send emails every 50 seconds;
- displays the following message box:
- if the current date is 15 September, displays this message box too:
SHARE
THIS ON