W32.Pigfeng


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 08 Apr 2008
Damage: Low

Characteristics: A virus that infects files, particularly the .exe files, was discovered on April 8, 2008. This virus is called W32.Pigfeng. This file infecting virus also attempts to download a file from a remote location. Most operating systems affected by this worm are Windows 98, 95, XP, Me, Vista, NT, Server 2003 and 2000.

More details about W32.Pigfeng

When W32.Pigfeng is executed, the virus copies itself as shl.exe under the %Windir% folder. It also creates testwin.txt under drive c:. Moreover, the virus modifies a certain system registry entry and searches for all %UserProfile%\Desktop\*.lnk files. This process enables the virus to check if the link points to any .exe file. And once this link points to a .exe file, the virus infects the file by adding a downloader to the file. Once the infected file runs, the virus drops a clean file to the same folder using [ORIGINAL FILE NAME].exe\x7f as the file name format. Then, the virus set the clean file to hidden and system attributes to finally execute it. Lastly, the virus downloads[http://]d.feng6.us/[REMOVED] and execute it.

The W32.Pigfengsoftware places its files in the system. These may use random characters for their file names. This is commonly done to prevent detection. Users report the components are often placed in the Windows or System folder. The processes are also added to the system registry. This makes sure the application runs at system startup. The W32.Pigfeng application connects to a remote server. It may open an idle system port to create a backdoor. It may also facilitate the connection by launching a hidden browser window. The software downloads unwanted files into the system. The files and server may change from time-to-time to prevent detection.