Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Worm.Win32.Warpigs.a, W95/Warpigs.B, W32.HLLW.Warpig
Type:Worm 
Size:63,520 Bytes 
Origin: 
Date:00-00-0000 
Damage:Spreading over shared networks. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:Medium 

DistributionIt tries to spread over shared networks.

Technical DetailsWorm/Warpigs.A1 copies itself as C:\%System%\Discworld.exe. It creates the file
C:\%System%\Pgonwe.exe. It uses this file for sending worm copies to computers with weak administrator passwords. Some of the passwords used are:
%null%
aerobics
adult
adrianna
adrian
adam
action
account
accept
academic
academia
000000
00000
0000
testing
death
xxxxxxxxx
xxxxxxxx
xxxxxxx
xxxxxx
xxxxx
xxxx
guessme
youwontguessme
uwontguessme
mirc
kiddie
scriptkiddie
script
hax0r
hacker

Then, the worm tries to terminate the following processes:
Netstat.exe
Taskmgr.exe
Msconfig.exe
Regedit.exe

It makes the autorun registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "winsockdriver"="Discworld.exe" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "winsockdriver"="Discworld.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS. update "bla"=

The worm modifies System.ini file, by replacing: "shell"="explorer.exe" with "shell"="explorer.exe Discworld.exe".

It modifies the Shell entry in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon replacing: "explorer.exe"
with: "explorer.exe winupdate.exe",
so that the worm is activated on every system start.

It connects to a special mIRC sevrer, for receiving instructions. Some of these, allow it to:
- terminate some active processes
- start Denial of Service (DoS) attacks
- delete/ create files and folders
- boot the computer
- run programs.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .