WARP

Description

The WARP malware family is an HTTP based backdoor written in C++, and the majority of its code base is borrowed from source code available in the public domain. Network communications are implemented using the same WWW client library (w3c.cpp) available from www.dankrusi.com/file_69653F3336383837.html. The malware has system survey functionality (collects hostname, current user, system uptime, CPU speed, etc.) taken directly from the BO2K backdoor available from www.bo2k.com. It also contains the hard disk identification code found at www.winsim.com/diskid32/diskid32.cpp. When the WARP executing remote commands, the malware creates a copy of the ?%SYSTEMROOT%\system32\cmd.exe? file as ‘%USERPROFILE%\Temp~ISUN32.EXE’. The version signature information of the duplicate executable is zeroed out. Some WARP variants maintain persistence through the use of DLL search order hijacking.

Names

Name
WARP

Type

Reconnaissance
Backdoor

Information

http://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html

Other Information

Uuid

7d3f89d6-21b4-46aa-bf98-945ceda5a847

Last Card Change

2020-04-20

Threat Intelligence Garden

Explorer

WARP

WARP

Description

Names

Category

Type

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks