McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Pepex.b (AVP)

• W32.Jonbarr.C@mm (Symantec)

• WORM_PIBI.B (Trend)

Characteristics

This threat is detected as New Worm with the 4120 DATs or higher when scanning compressed files with heuristics enabled.

This mass-mailing worm attempts to harvest addresses from cached web pages, spreads via Internet Relay Chat and the KaZaa, Morpheus, and Bearshare peer to peer file sharing applications. It arrives in an email message containing the following information:

Subject: Re: hya
or
Subject: WindowsXP Service Release Pack 2.002

Body: Istall the program in the attachment.
Attachment: install.exe

When the attachment is run, the virus terminates process in memory that contain the following strings:

• ALERT
• ANTIVIR
• av
• AV
• CFI
• DVP
• F-
• FIREW
• FP-
• ICL
• MCAFEE
• MON
• NOD32
• PCC
• PCCW
• SCAN
• SWEEP
• TDS2-
• TRAP
• VET
• VSHW

A copy of the worm is saved to the WINDOWS SYSTEM directory as WINSYS#.EXE, where # is a 2 or 3 digit number. A registry run key is created to load the worm at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run\Kernel32.dll module=%Worm Path%

The worm attempts to use WINZIP32.EXE to create a .ZIP version of itself in the WINDOWS SYSTEM directory, using the same name as the dropped .EXE file in that directory. It then overwrites the mIRC script.ini file with instructions to send the .ZIP copy to user who join the same channel as the infected user. If WINZIP32.EXE is not installed on the infected system, the SCRIPT.INI instructions will fail.

A base64 encoded version of the worm is written to the root directory as BOOT64.BIN. This is used by the worm during its email function. Email addresses are harvested from the *.HTM files in the Temporary Internet Files directory and subdirectories. The worm attempts to send itself to the addresses found.

The worm queries the registry for the KaZaa transfer directory. It then creates copies of itself in the specified folder using one of the following file names:

• kmd22.exe
• winxpserial.exe
• wamp3.exe
• wmplay9.exe

Attempts are also made to copy the worm to the following folders, using the same filenames:

• C:\Program Files\Edonkey2000\Incoming
• C:\Program Files\Bearshare\Shared
• C:\Program Files\Morpheus\My Shared Folder

After infection occurs a registry key value is created:

• HKEY_LOCAL_MACHINE\Software\PieceByPieceB "inf"=yep

Symptoms

The first time the worm is run a fake message is displayed:

If the date is October 18, a message box is displayed:

Method of Infection

This worm arrives via email, IRC, KaZaa, Morpheus, or Bearshare.

Removal

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Pepex.b (AVP)

• W32.Jonbarr.C@mm (Symantec)

• WORM_PIBI.B (Trend)

Characteristics

Characteristics -

This threat is detected as New Worm with the 4120 DATs or higher when scanning compressed files with heuristics enabled.

This mass-mailing worm attempts to harvest addresses from cached web pages, spreads via Internet Relay Chat and the KaZaa, Morpheus, and Bearshare peer to peer file sharing applications. It arrives in an email message containing the following information:

Subject: Re: hya
or
Subject: WindowsXP Service Release Pack 2.002

Body: Istall the program in the attachment.
Attachment: install.exe

When the attachment is run, the virus terminates process in memory that contain the following strings:

• ALERT
• ANTIVIR
• av
• AV
• CFI
• DVP
• F-
• FIREW
• FP-
• ICL
• MCAFEE
• MON
• NOD32
• PCC
• PCCW
• SCAN
• SWEEP
• TDS2-
• TRAP
• VET
• VSHW

A copy of the worm is saved to the WINDOWS SYSTEM directory as WINSYS#.EXE, where # is a 2 or 3 digit number. A registry run key is created to load the worm at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run\Kernel32.dll module=%Worm Path%

The worm attempts to use WINZIP32.EXE to create a .ZIP version of itself in the WINDOWS SYSTEM directory, using the same name as the dropped .EXE file in that directory. It then overwrites the mIRC script.ini file with instructions to send the .ZIP copy to user who join the same channel as the infected user. If WINZIP32.EXE is not installed on the infected system, the SCRIPT.INI instructions will fail.

A base64 encoded version of the worm is written to the root directory as BOOT64.BIN. This is used by the worm during its email function. Email addresses are harvested from the *.HTM files in the Temporary Internet Files directory and subdirectories. The worm attempts to send itself to the addresses found.

The worm queries the registry for the KaZaa transfer directory. It then creates copies of itself in the specified folder using one of the following file names:

• kmd22.exe
• winxpserial.exe
• wamp3.exe
• wmplay9.exe

Attempts are also made to copy the worm to the following folders, using the same filenames:

• C:\Program Files\Edonkey2000\Incoming
• C:\Program Files\Bearshare\Shared
• C:\Program Files\Morpheus\My Shared Folder

After infection occurs a registry key value is created:

• HKEY_LOCAL_MACHINE\Software\PieceByPieceB "inf"=yep

Symptoms

Symptoms -

The first time the worm is run a fake message is displayed:

If the date is October 18, a message box is displayed:

Method of Infection

Method of Infection -

This worm arrives via email, IRC, KaZaa, Morpheus, or Bearshare.

Removal -

Removal -

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys

Restart the computer

Delete the files mentioned above

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A