PE_VIRUX.I
Windows 2000, Windows XP, Windows Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This file infector connects to certain websites to send and receive information.
TECHNICAL DETAILS
Installation
This file infector injects codes into the following process(es):
- WINLOGON.EXE
Other System Modifications
This file infector adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
\??\%System%\winlogon.exe = \??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1
File Infection
This file infector infects the following file types:
- .EXE
- .SCR
It avoids infecting files that contain the following strings in their names:
- OTSP
- WC32
- WCUN
- WINC
It avoids infecting the following files:
- .DLL files
- PE Files with "_win" section name
- Files with infection marker
Other Details
This file infector connects to the following website to send and receive information:
- {BLOCKED}u.{BLOCKED}s.pl
NOTES:
It arrives as a file infected by PE_VIRUX variants.