Virus

W32/Pilif

Analysis

This virus is 32-bit with a UPX packed file size of 20,480 bytes. This virus uses its own SMTP code and mass-mailing routine to distribute itself to others. It contains additional code to copy itself to popular P2P shared folders, mapped network drives, and to IRC users via dcc.

If the virus is run, it copies itself to the System32 folder, then modifies the registry to

- disable Outlook warning
- disable Task Manager

The virus changes the registry in these values -

HKEY_CURRENT_USER\Identities\{undefinedunique IDundefined}\Software\Microsoft\
Outlook Express\5.0\Mail
"Warn on Mapi Send" = 0x0

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System
"DisableTaskMgr" = 01, 00, 00, 00

While the virus is running in memory, it will also disable use of the START button.
Loading at Windows Startup
The virus will register itself to load from this registry key -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Pilif" = C:\WINNT\System32\Pilif.exe


Mass-mailing routine
The virus searches the hard drive for email addresses and stores found addresses into a file "adrbook" in the System32 folder. The virus creates email messages using a list of possible subject lines and body text.

Possible attachment file names -

manifesto
pilif
sustain cause
details
attachement
Manifesto anti pilif
Manifesto details
Freedom of expression
Simple solution
Goverment issue

The files will have one of these extensions - .scr, .pif, .bat, .com or .cmd.


P2P shared folder population
The virus will copy itself as one of these file names into the shared folders for numerous P2P applications -

Norton 2004 crack
Kasperky AV Universal Key
Dark Coderz Alliance
Anti-hacker Utility
Cracks mega warez collection
Sex - totally free porn
Easy credit card validation
Yahoo hacker
Webmail official hacker
Free porn sites accounts

The files will have one of these extensions - .scr, .pif, .bat, .com or .cmd. The virus will copy itself to these folder locations -

\KMD\Shared Folder
\Kazaa\My Shared Folder
\Shareaza\downloads
\Morpheus\My Shared Folder
\Grokster\My Grokster
\BearShare\Shared
\Edonkey2000\Incoming
\limewire\Shared
\icq\shared files
\WinMX\my shared folder

Pilif will modify the registry to minimize security settings for Morpheus and Kazaa by removing virus scanning settings [for downloaded files] and to enable sharing of the shared folder.


IRC infection vector
The virus will search for installations of mIRC, an Internet chat client. If mIRC is located on the system, the virus will copy itself as the file "Manifesto Anti Censore Pilif.txt.exe" to the installation folder. Next, Pilif will modify the base configuration file to send "Manifesto Anti Censore Pilif.txt.exe" to others when joining chat channels.


Mapped network drives copy routine
The virus will search for mapped drives using a short script. For all files found, the virus will copy itself as one of these files -

manifesto
pilif
sustain cause
details
attachement
Manifesto anti pilif
Manifesto details
Freedom of expression
Simple solution
Goverment issue

The files will have one of these extensions - .scr, .pif, .bat, .com or .cmd.


Miscellaneous
The virus contains these strings embedded in its body which is not displayed -

Only two things are infinite : The Universe and Human Stupidity. And I am not sure about the Universe - A.Einstein

Happy birthday Ombladon! Fuck you Pilif...

Feel how it is to have your basic rights taken away!

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option