McAfee > Theat Center > Virus Detail Page

Overview

W32/Pepa.worm is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to launch a DDos attack on internet systems.

Characteristics

This threat "spreads" via different ways, such as:

• MSN contact list - sending a hyperlink with the executable file
• P2P - copy itself to P2P locations
• IRC - sending hyperlink with the executable file to other irc users
• Network - copy itself to network locations
  

If users choose to download and/or run this file, it will contact a remote IRC server, logon to a specified channel and wait for further instructions.  One of these instructions can result in the bot program sending the aforementioned hyperlink to all recipients on the infected users buddy list.  Technically not a worm, this threat requires a bot commander to initiate the "spimming" (IM spam) routine and the other spreading mechanisms.

Symptoms

This threat tries to copy itself to windows system directory (%SYSTEMDIR%) and modifies the following registry keys to load on system startup:

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\windowsservices="%SYSTEMDIR%\WinServices.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\mscom32="%SYSTEMDIR%\mswin.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\windowsservices="%SYSTEMDIR%\WinServices.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\mscom32="%SYSTEMDIR%\mswin.exe"

The bot will attempt to connect to a remote IRC server, such as "208.98.9.185" or "athlon.ciphernet.org"

Method of Infection

This threat can use the following methods to spread itself, such as:

• MSN
• IRC
• Network shares
• P2P
  

By sending hyperlinks with the executable file, or copying itself with different names,as:

Windows XP pro.exe
MSN Messenger.exe
WinXpPro.exe
101_Porn_Movies.exe
Hotmail_Hacker_Pro.exe
Paris_Hilton_Sex_Video.scr

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/Pepa.worm is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to launch a DDos attack on internet systems.

Characteristics

Characteristics -

This threat "spreads" via different ways, such as:

• MSN contact list - sending a hyperlink with the executable file
• P2P - copy itself to P2P locations
• IRC - sending hyperlink with the executable file to other irc users
• Network - copy itself to network locations
  

If users choose to download and/or run this file, it will contact a remote IRC server, logon to a specified channel and wait for further instructions.  One of these instructions can result in the bot program sending the aforementioned hyperlink to all recipients on the infected users buddy list.  Technically not a worm, this threat requires a bot commander to initiate the "spimming" (IM spam) routine and the other spreading mechanisms.

Symptoms

Symptoms -

This threat tries to copy itself to windows system directory (%SYSTEMDIR%) and modifies the following registry keys to load on system startup:

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\windowsservices="%SYSTEMDIR%\WinServices.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\mscom32="%SYSTEMDIR%\mswin.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\windowsservices="%SYSTEMDIR%\WinServices.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\mscom32="%SYSTEMDIR%\mswin.exe"

The bot will attempt to connect to a remote IRC server, such as "208.98.9.185" or "athlon.ciphernet.org"

Method of Infection

Method of Infection -

This threat can use the following methods to spread itself, such as:

• MSN
• IRC
• Network shares
• P2P
  

By sending hyperlinks with the executable file, or copying itself with different names,as:

Windows XP pro.exe
MSN Messenger.exe
WinXpPro.exe
101_Porn_Movies.exe
Hotmail_Hacker_Pro.exe
Paris_Hilton_Sex_Video.scr

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A