Content

W32/Pepa.worm

Type
Virus
SubType
Worm
Discovery Date
10/02/2006
Length
184,320
Minimum DAT
4864 (10/02/2006)
Updated DAT
4864 (10/02/2006)
Minimum Engine
5.1.00
Description Added
10/02/2006
Description Modified
10/09/2006 5:15 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics


This threat "spreads" via different ways, such as:

  • MSN contact list - sending a hyperlink with the executable file
  • P2P - copy itself to P2P locations
  • IRC - sending hyperlink with the executable file to other irc users
  • Network - copy itself to network locations

If users choose to download and/or run this file, it will contact a remote IRC server, logon to a specified channel and wait for further instructions.  One of these instructions can result in the bot program sending the aforementioned hyperlink to all recipients on the infected users buddy list.  Technically not a worm, this threat requires a bot commander to initiate the "spimming" (IM spam) routine and the other spreading mechanisms.

Symptoms

This threat tries to copy itself to windows system directory (%SYSTEMDIR%) and modifies the following registry keys to load on system startup:

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\windowsservices="%SYSTEMDIR%\WinServices.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\mscom32="%SYSTEMDIR%\mswin.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\windowsservices="%SYSTEMDIR%\WinServices.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\mscom32="%SYSTEMDIR%\mswin.exe"

The bot will attempt to connect to a remote IRC server, such as "208.98.9.185" or "athlon.ciphernet.org"

Method of Infection

This threat can use the following methods to spread itself, such as:

  • MSN
  • IRC
  • Network shares
  • P2P

By sending hyperlinks with the executable file, or copying itself with different names,as:

Windows XP pro.exe
MSN Messenger.exe
WinXpPro.exe
101_Porn_Movies.exe
Hotmail_Hacker_Pro.exe
Paris_Hilton_Sex_Video.scr

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Pepa.worm is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to launch a DDos attack on internet systems.

Characteristics

Characteristics -


This threat "spreads" via different ways, such as:

  • MSN contact list - sending a hyperlink with the executable file
  • P2P - copy itself to P2P locations
  • IRC - sending hyperlink with the executable file to other irc users
  • Network - copy itself to network locations

If users choose to download and/or run this file, it will contact a remote IRC server, logon to a specified channel and wait for further instructions.  One of these instructions can result in the bot program sending the aforementioned hyperlink to all recipients on the infected users buddy list.  Technically not a worm, this threat requires a bot commander to initiate the "spimming" (IM spam) routine and the other spreading mechanisms.

Symptoms

Symptoms -

This threat tries to copy itself to windows system directory (%SYSTEMDIR%) and modifies the following registry keys to load on system startup:

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\windowsservices="%SYSTEMDIR%\WinServices.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\mscom32="%SYSTEMDIR%\mswin.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\windowsservices="%SYSTEMDIR%\WinServices.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
\mscom32="%SYSTEMDIR%\mswin.exe"

The bot will attempt to connect to a remote IRC server, such as "208.98.9.185" or "athlon.ciphernet.org"

Method of Infection

Method of Infection -

This threat can use the following methods to spread itself, such as:

  • MSN
  • IRC
  • Network shares
  • P2P

By sending hyperlinks with the executable file, or copying itself with different names,as:

Windows XP pro.exe
MSN Messenger.exe
WinXpPro.exe
101_Porn_Movies.exe
Hotmail_Hacker_Pro.exe
Paris_Hilton_Sex_Video.scr

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A