Worm.Phorpiex.M

Posted: September 25, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	5/10
Infected PCs:	1,155

First Seen:	September 25, 2012
OS(es) Affected:	Windows

Worm:Win32/Phorpiex.M uses worm-based functions to distribute itself through both spam e-mail messages and removable drives, with its final payload including the compromise of any infected PC's security for the sake of allowing a remote attacker to gain control. Worm:Win32/Phorpiex.M may install other types of PC threats and will make specific efforts towards dismantling your computer's firewall security features. Since Worm:Win32/Phorpiex.M is both a worm and a backdoor Trojan, SpywareRemove.com malware experts rate Worm:Win32/Phorpiex.M as a high-level PC threat and encourage the isolation of your PC (to prevent Worm:Win32/Phorpiex.M from spreading), followed by removing Worm:Win32/Phorpiex.M with any suitably sophisticated brand of anti-malware product.

Why Worm:Win32/Phorpiex.M will not Look 'So Beautiful' On Your Hard Drive

Worm:Win32/Phorpiex.M's most identifiable distribution mechanism uses spam e-mail messages that are sent through already-compromised PCs in its botnet, with its probable targets including any e-mail addresses that can be harvested from these PCs. E-mails that carry Worm:Win32/Phorpiex.M disguise their ZIP-archived Worm:Win32/Phorpiex.M attachments as some form of personal photograph, with any of over a dozen tag lines used to make it look like a normal e-mail from an acquaintance. SpywareRemove.com malware researchers also warn that, even after Worm:Win32/Phorpiex.M is installed, Worm:Win32/Phorpiex.M will name some of its components to resemble Windows files, and can hide copies of itself by changing your file-viewing settings.

However, SpywareRemove.com malware researchers consider Worm:Win32/Phorpiex.M's primary attack its backdoor function, which lets criminals use an IRC-based C&C server to control your computer and send Worm:Win32/Phorpiex.M commands. With the appropriate instructions, Worm:Win32/Phorpiex.M may install other forms of malware, gather a limited amount of information about your PC, create firewall vulnerabilities via Registry changes or even uninstall itself.

Perhaps most importantly for SpywareRemove.com malware analysts like our own, Worm:Win32/Phorpiex.M also attempts to avoid being analyzed in sandbox-protected virtual environments. If Worm:Win32/Phorpiex.M is launched from within a VE machine, Worm:Win32/Phorpiex.M will terminate itself. Conveniently, any casual PC users also may use sandbox utilities to protect their PCs from Worm:Win32/Phorpiex.M and comparable PC threats.

Getting All Signs of the Worm:Win32/Phorpiex.M Infestation Out of the Way

Many worms also use local networks and removable hard drive (USB devices, etc.) to distribute themselves, and Worm:Win32/Phorpiex.M also abuses this well-defined worm strategy. If you're using a Worm:Win32/Phorpiex.M-infected PC, SpywareRemove.com malware experts heartily endorse the total prevention of any network or removable HD-based contact with other PCs until you've removed all copies of Worm:Win32/Phorpiex.M. Worm:Win32/Phorpiex.M will use basic file-viewing settings changes to conceal its copies and, whenever convenient, install itself on an uninfected computer automatically.

While Worm:Win32/Phorpiex.M is a generalized PC threat with broad attack functions (rather than the specific risks associated with specialized PC threats, such as a banking Trojan), the risks posed by a Worm:Win32/Phorpiex.M infection never should be underestimated. Competent and updated anti-malware applications always should be utilized for disinfecting Worm:Win32/Phorpiex.M, which will try to avoid being detected or deleted if at all possible.
Worm:Win32/Phorpiex.M's aliases include PWS-Zbot.gen.ary, Trojan.Win32.Jorik.IRCbot.waj, BackDoor.IRC.Bot.2232, Trojan-PWS.Win32.Fareit, Troj/IRCbot-AKR and WORM_PHORPIEX.JZ.

Aliases

Trj/Agent.MIZ [Panda]Generic31.PHK [AVG]Trojan.Win32.Loktrom [Ikarus]Worm/Gamarue.iommna [AntiVir]W32/Zbot.BLB [F-Prot]Generic.oa [McAfee]Trojan.Agent.WD.cwd [CAT-QuickHeal]W32/Kryptik.AKKR [Fortinet]Trojan.MulDrop3.64034 [DrWeb]Gen:Variant.Kazy.88386 [BitDefender]Trojan.Win32.Jorik.IRCbot.rao [Kaspersky]Artemis!714AA911415C [McAfee]Trojan.Jorik.IRCbot.rao [CAT-QuickHeal]Generic Worm [Panda]Worm/Generic2.CFTB [AVG]
More aliases (405)

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%USERPROFILE%\6438640620394286720310355\winsvc.exe

File name: winsvc.exe
Size: 66.56 KB (66560 bytes)
MD5: 838c520f8af4d864f6be405e2d3fe3f8
Detection count: 126
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\6438640620394286720310355
Group: Malware file
Last Updated: February 6, 2013

%USERPROFILE%\M-1-52-5782-8754-5245\winsam.exe

File name: winsam.exe
Size: 199.16 KB (199169 bytes)
MD5: 8069cd7e4383681d8b96055c52a74caf
Detection count: 55
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\M-1-52-5782-8754-5245
Group: Malware file
Last Updated: January 5, 2013

%USERPROFILE%\uihiugigzugi\winsvn.exe

File name: winsvn.exe
Size: 59.39 KB (59392 bytes)
MD5: 42729638d444f1808017895d2af9bee0
Detection count: 43
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\uihiugigzugi
Group: Malware file
Last Updated: March 12, 2013

%USERPROFILE%\S-500-9430-5849-2045\winmgr.exe

File name: winmgr.exe
Size: 77.31 KB (77312 bytes)
MD5: f7d4eb4c0eb3caa1d6f9d95a32e737c4
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\S-500-9430-5849-2045
Group: Malware file
Last Updated: April 22, 2013

%USERPROFILE%\M-87-78985-6027-77788\winsvcr.exe

File name: winsvcr.exe
Size: 14.33 KB (14336 bytes)
MD5: 4e10ef2eea4e158924394f1c93028deb
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %USERPROFILE%\M-87-78985-6027-77788
Group: Malware file
Last Updated: October 5, 2012

More files

Additional Information

The following messages's were detected:

#	Message
1	Attachment: -JPG.scr” contained within a ZIP file, for example, “0540435562-JPG.zip” Subject (any of the following): I cant believe I still have this picture I love your picture! Is this you?? Picture of you??? Should I upload this picture on facebook? Someone showed me your picture Someone told me it’s your picture Take a look at my new picture please Tell me what you think of this picture This is the funniest picture ever! What do you think of my new hair What you think of my new hair color? What you think of this picture? You look so beautiful on this picture You should take a look at this picture Your photo isn’t really that great

Message

Attachment: -JPG.scr” contained within a ZIP file, for example, “0540435562-JPG.zip”
Subject (any of the following):
I cant believe I still have this picture
I love your picture!
Is this you??
Picture of you???
Should I upload this picture on facebook?
Someone showed me your picture
Someone told me it’s your picture
Take a look at my new picture please
Tell me what you think of this picture
This is the funniest picture ever!
What do you think of my new hair
What you think of my new hair color?
What you think of this picture?
You look so beautiful on this picture
You should take a look at this picture
Your photo isn’t really that great