Win/Phorpiex Worm

Original Issue Date:- July 17, 2019
Virus Type:- Worm
Severity:- High

It has been reported that the variants of a worm named as “phorpiex” is spreading. The worm mainly targets the windows operating systems and spreads by means of removable devices and instant messaging software. The malware may also arrive on the system as a result of drive-by-download or files created by other malware. The malware is capable of performing the following functions:

  • Allows backdoor access and control
  • Creates hidden folder in removable drives containing a copy of malware and creates shortcut pointing to those hidden folders.
  • Malware checks for messaging software in computer such as AIM, Google Talk, ICQ, Paltalk, Windows Live Messenger, Xfire chat, if found, then worm sends a malicious link using these messenger automatically.
  • Make network connections to IRC server and receive commands from the remote server indicating malicious actions to be performed
  • Chenge firewall settings to authorize itself to access the internet without any barrier.
  • Act as a platform for sending phishing emails containing other malware such as GandCrab.
  • Malware uses anti analysis techniques and terminates itself if analysis tools are found running.

Indicators of Compromise:

File system changes:

  • Malware upon spreading via removable drives makes a copy of itself in following directory:
    • %USERPROFILE%\M-1-52-5782-8752-5245
    • C:\Users\$USERNAME\%TEMP%
    • C:\Windows
  • File names used by the malware while copying it are:
    • windsrcn.exe
    • winmgr.exe
    • winsam.exe
    • winsam.exe
    • winsrvc.exe
    • winsvc.exe
  • It creates “autorun.inf” file in root directory of targeted drive to spread itself via removable drives.


Registry Changes:

In subkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows Update"
With data: "%USERPROFILE%\M-1-52-5782-8752-5245\winsvc.exe"


Malware Hashes:

  • c3727564b74452f0f7eae38ad8f13808
  • f6b48dc6144f175c75c6c142ae8d3ffe
  • b6fffc0fca2276a76ecec891039bdaa1
  • 7ba150c8808edf187a1ccf8d0532d0732fff2bbe28f76d6e2f02f8196669dd06
  • 0b4996c03b059d1a10349f715b6b21ad9926912faae834581f0c96b24ff1b33f
  • 9f3f80167c5d39efb9e81507efec6d9bdc5e31323f9d6d89630374c7fe490f33
  • ef1563a962d2d86ceb1dd09056f87fcab4c32e3ca6481c51950d3b6db49d1087
  • 5bf79a111467a85abe57f1f3e92f2279b277cccae53ed28c584267717ba372f8
  • 2035ef02a014f9ae2a21d39c98604ca4863d77c47dcc12d31bb9b7b2d3e5fc98
  • 3df16261b28f30683dce6a66331452f4ddc1d3472fb194ff5b505270a8f64311


Network Communication:

  • 185[.]189[.]58[.]222
  • zfdiositdfgizdifzgif[.]ru
  • uwgfusubwbusswf[.]ru
  • auoegfiaefuageudn[.]ru
  • 92[.]63[.]197[.]106 :5050
  • 112[.]126[.]94[.]107 :5050
  • 123[.]56[.]228v49 :5050
  • 220[.]181[.]87[.]80 :5050
  • 185[.]189[.]58[.]222 :5050


Countermeasures:

  • Monitor and block network traffic and systems making connections to the above mentioned domain/IPs at firewall, IDS, web gateways, routers or other perimeter based devices.
  • Delete the file system and registry changes made by the malware.
  • Disable the Autorun functionality in Windows
    http://support.microsoft.com/kb/967715
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures at desktop and gateway level.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.
  • Consider encrypting the confidential data as the ransomware generally targets common file types.
  • Exercise caution while visiting links to Web pages.
  • Do not visit untrusted websites.
  • Use strong passwords and also enable password policies.
  • Enable firewall at desktop and gateway level.
  • Protect yourself against social engineering attacks.

References: