This month one of the families introduced to MSRT is Win32/Phorpiex, a worm that spreads via removable drives and has IRC controlled backdoor functionality.

In most respects Phorpiex is another worm, with typical command and control via IRC as well as spreading via removable drives. Like many other malware it usually does this by using Autorun, copying itself to the removable drive and writing an "autorun.inf" file to ensure execution on access, assuming the system is configured to allow autorun.

Win32/Phorpiex differs from most other malware by also using another trick to dupe unsuspecting users. This is another variation on the usual theme of getting users to click to execute the malware.

Phorpiex checks if a particular removable drive contains any folders; the following is a genuine example of a removable drive with folders:

 

So there it is, a group of innocuous folders sitting there, and along comes Phorpiex looking for them. After which this happens:

 

Yes, these appear to be the same folders as before, but notice the little shortcut arrows on the folder icons. That is correct - Phorpiex has replaced the folders with shortcuts containing folder icons! We delve further by displaying hidden items in Explorer:

 

The original folders have been hidden, but there appears to be another hidden folder. Let's go take a look inside:

 

And there we have it - three versions of Win32/Phorpiex with the same names as the original three folders hiding inside.
OK, but what does this mean? When someone clicks on one of the shortcuts with the folder icon what will be running is Win32/Phorpiex.

Here is where the illusion breaks down, because the user expects to go into the folder in Explorer to view its contents. In this case there is no feedback after clicking on one of the shortcuts.

More malware smoke and mirrors and a good reason to disable autorun functionality if you haven't already -  and here's how to do it.

Ray Roberts
MMPC Melbourne