Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Win32.Warpigs.B

Dec 11, 2003 11:40PM PST

Alias: W32/Warpi.worm.gen (McAfee),
Win32/Warpigs.B.Worm,
Worm.Win32.Warpigs (Kaspersky)
Category: Win32
Type: Worm
Published Date: 12/11/2003
Last Modified: 12/11/2003

CHARACTERISTICS
Win32.Warpigs.B is a UPX-packed, 67,104 byte worm that spreads via network shares. It also contains backdoor functionality that allows unauthorized accesss to a victim's machine.

Method of Installation
When executed, Win32.Warpigs.B copies itself to the %System% directory as WINUPDATE.EXE and then deletes the original copy that was executed.

It also adds itself to the registry to ensure that this copy is run at each Windows start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "winupdate.exe"
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WindowsUpdate = "winupdate.exe"

The run key in SYSTEM.INI is also modified to run winupdate.exe upon startup:

[boot]
shell="explorer.exe winupdate.exe"

http://www3.ca.com/virusinfo/virus.aspx?ID=37741

Discussion is locked