Backdoor.pirpi Description

Pirpi is a backdoor Trojan that has been linked to a recently uncovered zero day vulnerability on Internet Explorer. Pirpi has been around for a while. However, cybercrooks have updated Pirpi, making Pirpi more vicious and difficult to detect and remove in order to exploit this recently detected vulnerability. This vulnerability is current in the versions 6, 7 and 8 of Internet Explorer. Pirpi is being distributed through corrupted spam email attachments which use a social engineering technique in which the message claims that the attachment is the confirmation of a hotel reservation in the victim's name.

Pirpi was first detected in 2009, although the newest version of Pirpi is quite more powerful. Pirpi communicates with servers located in Poland, but malware analysts have noted that other variants of Pirpi with different sources have also been detected. Some of the defining characteristics of Pirpi may include the following:

  • Pirpi is a powerful backdoor Trojan that may grant full access to the infected computer to a third party.
  • Pirpi may use a threatening, corrupted GIF file to enter the infected computer.
  • Pirpi is closely related to the Internet explorer zero day vulnerability mentioned above.

Pirpi is a Gateway for Third Parties to Invade Your Computer

Initial Pirpi attacks were observed in low quality URLs often associated with unsafe online content such as pornographic material. Malware researchers reported that when the attack website was accessed, a threatening GIF file was downloaded from a remote server. This threatening GIF contained an obfuscated executable named alg.exe, which installed Pirpi on the infected computer. Once installed, Pirpi establishes a backdoor in the infected computer. Using this backdoor, third parties may observe the infected computer, control it from a remote location and manipulate its content. A failed exploitation of the vulnerability mentioned above may cause Internet Explorer to crash. Because this vulnerability has a low success rate, victims may notice that their Web browser frequently crashes before Pirpi is installed. This behavior should cause computer users to scan their computer with a reliable security application.

Technical Information

Registry Details

Backdoor.pirpi creates the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup = "%CommonPrograms%

Related Posts

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

HTML is not allowed.