PE_VIRUX.P-1
Windows 2000, Windows XP, Windows Server 2003
Threat Type: File infector
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It infects by appending its code to target host files. It infects certain file types by inserting code in the said files.
TECHNICAL DETAILS
Varies
EXE
Yes
05 Nov 2010
Arrival Details
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other System Modifications
This file infector creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
\??\%System%\winlogon.exe = "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"
File Infection
This file infector infects by appending its code to target host files.
It infects files with the following file extensions by inserting code in the said files:
- .EXE
HOSTS File Modification
This file infector adds the following strings to the Windows HOSTS file:
- {BLOCKED}7.{BLOCKED}.0.1 www.Trenz.pl