PE_VIRUX.I
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This file infector connects to certain websites to send and receive information.
TECHNICAL DETAILS
Varies
PE
17 Nov 2009
Installation
This file infector injects codes into the following process(es):
- WINLOGON.EXE
Other System Modifications
This file infector adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
\??\%System%\winlogon.exe = \??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1
File Infection
This file infector infects the following file types:
- .EXE
- .SCR
It avoids infecting files that contain the following strings in their names:
- OTSP
- WC32
- WCUN
- WINC
It avoids infecting the following files:
- .DLL files
- PE Files with "_win" section name
- Files with infection marker
Other Details
This file infector connects to the following website to send and receive information:
- {BLOCKED}u.{BLOCKED}s.pl
NOTES:
It arrives as a file infected by PE_VIRUX variants.