Modified by: Christopher Daniel So

ALIASES:

Virus:Win32/Parite.B (Microsoft), W32.Pinfi (Symantec), W32/Pate.b (McAfee), Virus.Win32.Parite.b (Kaspersky), W32/Parite-B (Sophos), Win32.Parite.b (Sunbelt)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware

This malware was involved in an attack targeting Banco de Brasil users during May 2013. It claimed itself to be a customized online banking browser that would allow users to access their accounts much more easily. Users with systems affected by this malware may find their online banking accounts compromised.

To get a one-glance comprehensive view of the behavior of this File infector, refer to the Threat Diagram shown below.

This File infector may be downloaded by other malware/grayware from remote sites.

It infects by appending its code to target host files.

It does not have any backdoor routine.

It does not have any downloading capability.

It does not have any information-stealing capability.

  TECHNICAL DETAILS

File Size: Varies
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 05 Jan 2001
Payload: Drops files

Arrival Details

This File infector may be downloaded by the following malware/grayware from remote sites:

Installation

This File infector adds the following mutexes to ensure that only one of its copies runs at any one time:

  • Residented

Other System Modifications

This File infector adds the following registry keys as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
PINF =

File Infection

This File infector infects the following file types:

  • .EXE
  • .SCR

It infects by appending its code to target host files.

Backdoor Routine

This File infector does not have any backdoor routine.

Dropping Routine

This File infector drops the following files:

Download Routine

This File infector does not have any downloading capability.

Information Theft

This File infector does not have any information-stealing capability.

Other Details

This File infector does the following:

  • It makes use of random port in order to access network shares. It then continues its infection routine in its accessed shares.
  • It may also arrive as an email file (EML) file that contains the malware executable in Base-64 format. In this form, this file infector executes when the malicious EML file is opened. Once opened, it searches for .HTM or .HTML files on the infected system with the strings "README" in their file names. Once found, it drops a copy of the .EML file into the folder where the infected .HTML file is found. The infected HTML file is detected by Trend Micro as JS_NIMDA.A.
  • Adds a script line to the infected HTML file to execute the embedded malicious .EML file when the infected HTML file is opened and viewed. This action guarantees continuous infection and increases security risk of the infected system.

NOTES:

This file infector does not have rootkit capabilities.

It also does not exploit any vulnerability.

  SOLUTION

Minimum Scan Engine: 8.900
VSAPI OPR PATTERN File: 5.883.00
VSAPI OPR PATTERN Date: 01 Apr 2008

Step 1

DAMAGE CLEANUP TEMPLATE

Step 2

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 3

Remove the malware/grayware file that dropped/downloaded PE_PARITE.A. (Note: Please skip this step if the threat(s) listed below have already been removed.)

Step 4

Remove the malware/grayware file dropped/downloaded by PE_PARITE.A. (Note: Please skip this step if the threat(s) listed below have already been removed.)

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • PINF

Step 6

Scan your computer with your Trend Micro product to delete files detected as PE_PARITE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.