arrow_back
search
close

PE_ETAPx

May 25, 2013
 Analysis by: Karl Dominguez
 ALIASES:

W32.Simile(Symantec), W32/Etap-A(Sophos), Virus.Win32.Etap(Kaspersky), W32/Etap(Avira), W32/Etap(F-Prot), W32/Etap.gen(McAfee)

 PLATFORM:

Windows 2000, Windows XP, Server 2003, Linux

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This is the generic detection for metamorphic viruses that infects Win32 and Linux ELF executable files. This direct file infector uses a complex infection routine, causing infected files to variably increase in size.

When infecting files, these viruses use the entry-point obscuring technique. On certain days of certain months, it displays certain messages.

  TECHNICAL DETAILS

File Size:

801,592 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

09 May 2013

Payload:

Modifies files, Displays message/message boxes

NOTES:
Upon execution, this virus searches for infectable files (Win32 and Linux ELF files). It searches for target files in the directories of the current drive, and then continues to other drives present on the system.

This virus infects using an entry-point obscuring technique. It patches the address of the ExitProcess API to point to its virus code. Thus, it is executed whenever an infected host is closed.

This virus attaches to its host encrypted and uses a polymorphic decryptor. It attaches either in the middle of the file or at the last section.

This virus checks the current system date. If the system date matches its trigger date, it displays a message box. There are three known versions of this virus, with different trigger dates and displaying different message boxes.

Version 1

This version displays a message box with either of the following text if the date is the 17th of March, June, September, or December:
  • MetaPHOR v1 by the Mental Driller/29A
  • MetaPHOR 1b by the Mental Driller/29A
It displays another message box with the following text strings if the system date is May 14 and the system language is Hebrew:
  • Free Palestine!

Version 2

This version displays a message box with the following text if the system date is the 18th of March, June, September, or December:
  • deutsChE TeLekOM@bY@EnERGY RPP2@**g*

Version 3

This third version displays a message box with the following text if the system date is the 17th of March or September:

  • MetaPHOR 1c by the Mental Driller/29A

Note that this virus uses a variable case for the displayed text strings in all message boxes. Therefore, the messages may be displayed in upper or lowercase letters.

  SOLUTION

Minimum Scan Engine:

8.900

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product to delete files detected as PE_ETAPx. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.