PE_VIRUX.P-1

 Modified by: Sabrina Lei Sioting

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW


This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It infects by appending its code to target host files. It infects certain file types by inserting code in the said files.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

05 Nov 2010

Arrival Details

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This file infector creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
\??\%System%\winlogon.exe = "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"

File Infection

This file infector infects by appending its code to target host files.

It infects files with the following file extensions by inserting code in the said files:

  • .EXE

HOSTS File Modification

This file infector adds the following strings to the Windows HOSTS file:

  • {BLOCKED}7.{BLOCKED}.0.1 www.Trenz.pl