You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Piggi.B

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Piggi.B carries out the following actions:

  • It has rootkit funcionalities in order to hide its files and make its detection more difficult.
  • It ends the following processes, belonging to antivirus programs, if they are active:
    navapsvc
    McShield
    SymAppCore
  • It prevents the following processes from being updated:
    Aupdate.exe
    Lual.exe
    These processes belong to antivirus programs.

Infection strategy 

Piggi.B creates the following files:

  • LSASS.EXE in the Windows system directory. This file is a copy of the worm.
  • IEXPLORE.EXE, in the subfolder INTERNET EXPLORER of the Program Files directory, which is where the original file of Internet Explorer is located. This file is copied into the subfolder DLLCACHE of the Windows system directory.
    This way, whenever Internet Explorer is run, firstly Piggi.B is run and then Internet Explorer.
  • MSFSR.SYS, in the Windows system directory.
  • ??????.SYS, in trhe subfolder DRIVERS of the Windows system directory.
    where ?????? stands for six random characters.
    These two files belong to rootkits, which hide the files created by Piggi.B.
  • ZYXWVUTS.LOG, in the root directory of the C: drive. In this file, it stores the names of the files that the rootkits must hide.

 

Piggi.B creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    %name of the original file run% = %path where the file has been run%
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    SvcHost = %sysdir%\lsass.exe
    where %sysdir% is the Windows system directory.
    By creating these entries, Piggi.B ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ msfsr
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ %file of 6 random characters%
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SvcHost
    By creating these entries, Piggi.B creates the services necessary to activate the rootkits.

Means of transmission 

Piggi.B spreads via email and through peer-to-peer (P2P) file sharing programs.

1- Propagation via email.

In order to do so, it follows the routine below:

  • It reaches the computer in an email message with the following charateristics:
    Sender: one of the following:
    %random name%@aol.com
    %random name%@hotmail.com
    %random name%@msn.com
    %random name%@yahoo.com
    updates@McAfee.com
    updates@Microsoft.com
    updates@Symantec.com

    Subject: it is variable and can be one of the following, among others:
    Carmen Electra
    casino
    Final Fantasy XIII
    Screensaver attached.
    See the attachment
    The complete list of Subjects can be consulted here.

    Message: it creates random texts from a list of text strings that it combines randomly.

    Attachment: it has random names.
  • The computer is affected when the attached file is run.

 

2. Propagation through P2P programs.

In order to do so, it follows the routine below:

  • Piggi.B creates copies of itself in the directories that contain any of the following text strings:
    BearShare
    Collections
    Downloads
    my shared folder
    share
    shared
    upload
    uploads
    which are shared directories belonging to several P2P programs.
  • The names it uses in order to copy itself consist of two parts:
    The first part: one of the following names:
    1234567890
    10,000 B.C., 28 Weeks Later, 30 Days of Night, 30 Rock season 2.

    A
    Across the Universe, Age of Conan-Hyborian Adventures, Alpha Dog, American Gangster, Angel-A, Angelina Jolie(unseen), Are We Done Yet?, Atonement, August Rush.

    B
    Balls of Fury, Because I Said So, Beowulf, Black Book, Blades of Glory, Breach, Britney Spears(unseen), Brother & Sisters season 2.

    C
    Captivity, Carmen Electra(unseen), Caution, Command & Conquer 3-Tiberium Wars, Company of Heroes, Criminal Minds - next season, CSI-London.

    D
    Dallas, Dancing with the Stars - next season, Death at a Funeral, Delta Farce, Desperados 2-Cooper's Revenge, Desperate Housewives - next season, Disturbia, Dragon Age, Dreamfall-The Longest Journey, Dungeons & Dragons Online-Stormreach.

    E
    Eastern Promises, El Cantante, Elder Scrolls IV-Oblivion, Enchanted, Enemy Territory-Quake Wars, Epic Movie, Evening.

    F
    Fantastic Four 2, Final Fantasy XIV, Firehouse Dog, Fly Me to the Moon, Foodfight!, Fracture, Fragile, Freedom Writers, Full Auto 2-Battlelines, Full of It.

    G
    Gears of War, Ghost Recon-Advanced Warfighter, Gilmore Girls season 8, God Grew Tired of Us, Gran Turismo HD, Grand Theft Auto IV, Grind House, Guild Wars-Factions.

    H
    Hairspray, Half-Life 2-Aftermath, Halloween, Hannibal Rising, Hellgate-London, Heroes of Might & Magic V, Hilary Duff(unseen), His Dark Materials-The Golden Compass, Horton Hears a Who, Hostel 2, Hot Fuzz, Hot Rod.

    I
    In the Land of Women, Inkheart, Iron Man.

    J
    Jennifer Lopez(unseen), Jessica Alba(unseen), Jessica Simpson(unseen), Journey 3-D, Jumper.

    K
    Kidnapped season 2, Kingdom Hearts 2, Kung Fu Panda.

    L
    La Vie en Rose, Lucky You, Lust.

    M
    Master of Time and Space, Metal Gear-Subsistence, Metroid Prime Hunters.

    N
    No Reservations.

    O
    Ocean's Thirteen, Offside, Okami, Opus-The Last Christmas.

    P
    Pamela Anderson(unseen), Paris Hilton(unseen), Pathfinder, Perfect Stranger, Pride, Pride & Glory, Prison Break season 3, Prom Night (2007).

    R
    Rainbow Six-Vegas, Red Steel, Reservation Road, Resistance-Fall of Man, Rise of Nations-Rise of Legends, Rocket Science, Rogue, Romeo & Juliet-Sealed with a Kiss.

    S
    S.T.A.L.K.E.R.-Shadow of Chernobyl, Scrubs - next season, Seven Day Itch, Severance, Shoot 'Em Up, Shooter, Skinwalkers, Slow Burn, Smokin' Aces, South Park season 11, Southland Tales, Splinter Cell Essentials, Splinter Cell-Double Agent, Spring Breakdown, Standoff season 2, Star Trek-Legacy, Star Wars-Empire at War, Starcraft-Ghost, Stardust, Stomp the Yard, Strange Wilderness, Strangers, Sunshine, Super Bad, Supreme Commander, Surf's Up.

    T
    Talk to Me, The Assassination of Jesse James, The Astronaut Farmer, The Dark Is Rising, The Flock, The Half Life of Timofey Berezin, The Hitcher, The Hoax, The Host, The Ice at the Bottom of the World, The Invasion, The Invisible, The Kingdom, The Last Legion, The Last Sin Eater, The Lives of Others, The Lord of the Rings-The Battle for Middle-earth II, The Messengers, The Namesake, The Nine season 2, The Number 23, The OC season 5, The Office season 4, The Reaping, The Simpsons, The Spiderwick Chronicles, The Transformers, The TV Set, The Ultimate Gift, The Valet, The Waterhorse, This Christmas, Til Death season 2, Too Human, Trade, Trick 'r Treat.

    U
    Ugly Betty season 2, Underdog, Untraceable.

    V
    Vacancy, Vanguard Saga of Heros, Vantage Point, Veronica Mars - next season, Vista, Vista Ultimate.

    W
    Whisper, Wild Hogs, Without a Trace - next season, Wonder Woman, World of Warcraft-The Burning Crusade.

    Z
    Zodiac.
    The second part: one of the following:
    - Full.exe
    - Keygen.exe
    .avi.com
    .iso.exe
    .mp4.com
    .zip.exe
  • Other users of these programs can remotely access these shared directories. This way, they voluntarily download these files to their computers, thinking that they are useful computer programs. However, they will actually download a copy of the worm to their computers.
  • When the downloaded file is run, such computers will be affected by Piggi.B.

Further Details  

Piggi.B is 73,216 bytes in size and it is compressed with Yodaprot.