Win32/Phorpiex [Threat Name] go to Threat

Win32/Phorpiex.A [Threat Variant Name]

Category worm
Aliases Trojan.Win32.Yakes.bcsr (Kaspersky)
Short description

Win32/Phorpiex.A is a worm that spreads via e-mail and removable media. The worm can be used for sending spam.

Installation

When executed, the worm copies itself into the following location:

  • %userprofile%\­%variable%\­winsvc.exe

A string with variable content is used instead of %variable% .


The file is then executed.


The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Windows Service" = "%userprofile%\­%variable%\­winsvc.exe"

This causes the worm to be executed on every system start.


The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%userprofile%\­%variable%\­winsvc.exe" = "%userprofile%\­%variable%\­winsvc.exe:*:Enabled:Microsoft Windows Service"

The performed data entry creates an exception in the Windows Firewall program.


The worm may create the following files:

  • %appdata%\­winsvcns.sys
Spam distribution

Win32/Phorpiex.A is a worm that is used for spam distribution.


The message depends entirely on data the worm downloads from the Internet.

Spreading via e-mail

Win32/Phorpiex.A is a worm that spreads via e-mail.


The message depends entirely on data the worm downloads from the Internet.


Body of the message can contain some of the following:

  • Is this you??
  • Picture of you???
  • Tell me what you think of this picture
  • This is the funniest picture ever!
  • I cant believe I still have this picture
  • Someone showed me your picture
  • Your photo isn't really that great
  • I love your picture!
  • What you think of my new hair color?
  • What do you think of my new hair?
  • You look so beautiful on this picture
  • You should take a look at this picture
  • Take a look at my new picture please
  • What you think of this picture?
  • Should I upload this picture on facebook?
  • Someone told me it's your picture

The attachment is an executable of the worm.


The name of the attached file is following:

  • IMG%variable%-JPG.ZIP

A string with variable content is used instead of %variable% .

Spreading on removable media

Win32/Phorpiex.A is a worm that spreads via removable media.


The worm may create the following files:

  • %removabledrive%\­%variable1%.exe (Win32/Phorpiex.A)
  • %removabledrive%\­%variable2%.lnk
  • %removabledrive%\­autorun.inf

A string with variable content is used instead of %variable1-2% .


The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

The worm collects the following information:

  • information about the operating system and system settings
  • installed software

The worm can send the information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of URLs. The IRC protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send spam

Please enable Javascript to ensure correct displaying of this content and refresh this page.