1. Symantec/
  2. Security Response/
  3. W32.Pilleuz


Risk Level 2: Low

September 29, 2009
November 19, 2013 9:49:22 AM
Also Known As:
W32/Autorun.worm!a758e0e7 [McAfee], W32/Rimecud [McAfee], W32/Autorun-AUP [Sophos], ButterflyBot.A [Panda Software], Metulji [Panda Software]
Infection Length:
109,056 bytes
Systems Affected:
W32.Pilleuz is a worm that spreads through file-sharing programs, MSN Messenger, and removable drives. It also opens a back door on the compromised computer.

Bot creation
W32.Pilleuz is a worm that can be created by using a bot creation kit also known as the "Butterfly" or "Mariposa" bot creation kit. The purpose of the kit is malicious in nature as it allows someone to create a worm with destructive capabilities despite the authors of the kit claiming that it was developed for research purposes only. The kit is a professionally constructed piece of software providing easy access to a range of powerful features and even includes a user manual to help users get started. Such is the ease-of-use of this bot creation kit, it has become a popular resource used by online criminals.

Once the bots are created, they are distributed to computers across the Internet in order to establish a malicious botnet. The botnet is comprised of two types of components:
  • Command and control (C&C) server
  • Bot (the worm)

The worm can arrive on a compromised computer through various means, which will be discussed in the next section. The author can specify multiple C&C servers, which can be used to communicate with bots that are installed on compromised computers. Once installed on the computer, it opens a back door and communicates with one of the specified C&C servers in order to carry out the commands of the remote attacker.

W32.Pilleuz employs three methods of propagation:
  • File-sharing applications
  • MSN Messenger
  • Removable drives

The worm spreads by copying itself to the shared folder of certain file-sharing applications. It is capable of connecting to certain websites, which have a list of file names to use. It then copies itself to the shared folders as the file names it has obtained from the website.

It may also attempt to spread through the MSN Messenger instant messaging application. The worm periodically checks whether the application is executing and then injects itself into the msnmsgr.exe process. It then sends a customized link that points to a copy of itself to all of the contacts in the application.

Furthermore, the worm attempts to spread through removable drives. When a drive is inserted into the compromised computer, the worm copies itself to the drive. It also uses the AutoRun feature of Windows to run automatically. It does this by modifying the autorun.inf file and then locking it so that no other software or malware can use Autorun to execute. The autorun.inf file stays locked until the drive is removed from the computer.

A list of the spreading capabilities can be seen described in the user manual of the bot creation kit.

Once the worm is installed on a compromised computer, it can communicate with a remote command and control (C&C) server using encrypted UDP to establish a back door connection. This back door allows a remote attacker to gain access to the compromised computer. The remote attacker may then perform any of the following actions:
  • Download more files, including updates to itself
  • Downloads adware
  • Manipulate cookies
  • Perform distributed denial of service (DDoS) attacks
  • Steal information

The bot creation kit describes an extensive list of the features, which a would-be criminal can choose from. This is documented in the user manual that comes with the kit.

Once installed on the computer, it may steal credit card information and banking details etc. It also manipulates cookies stored in browsers on the computer in order to steal commission from certain online purchases.

Concentration of bot detections
W32.Pilleuz has primarily been observed in the following locations:
  • India
  • Mexico
  • United States

While the three countries above have witnessed the most instances of the threat, India is by far the most affected location. There are at least four times as many instances of the worm in India as there are in the next most affected country, Mexico. It has also been cliamed that half of the Fortune 100 companies have at one stage or another been compromised by this worm.

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

    AutoRun and W32.Pilleuz
    Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats compromising it.

    For more information, see the following resource:
    How to prevent a virus from spreading using the "AutoRun" feature

    Antivirus Protection Dates

    • Initial Rapid Release version September 30, 2009 revision 001
    • Latest Rapid Release version March 24, 2018 revision 004
    • Initial Daily Certified version September 30, 2009 revision 002
    • Latest Daily Certified version March 24, 2018 revision 001
    • Initial Weekly Certified release date September 30, 2009
    Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
    Writeup By: Eoin Ward and Éamonn Young

    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    2016 Internet Security Threat Report, Volume 21
    • Twitter
    • Facebook
    • LinkedIn
    • Google+
    • YouTube