January 24, 2011

Virus that infects Executable Files

This is a virus that will spread  through computers. This file infector may be downloaded by other malware/grayware/spyware from remote sites. This comes with HTML_SHELLCOD.SM exploit that will allow 6more infections along with this. It drops a file that contains the main malicious code and is detected as PE_PARITE.A-O.

This is a particular file infector; it infects only .SCR  and .EXE files. Once the PC is infected with this virus, it does the following: 
  • Drops a randomly named .TMP file in the Windows Temporary folder which contains the main malicious code PE_PARITE.A-O.
  • Contains two exported function, AttachHook and Initiate. AttachHook injects itself into the shell process or EXPLORER.EXE so that it cannot be detected in memory. Initiate is the main infection code.
  • Infects a random number of .EXE and .SCR files by appending a new section into host files in random intervals.
  • It makes use of random port in order to access network shares and continues its infection routine in its accessed shares.
  • It may also arrive as an email file (EML) file that contains the malware executable in base 64 format. In this form, this file infector executes when the malicious EML file is opened. Once opened, it searches for .HTM or .HTML files on the infected system with the strings "README" in their file names. Once found, it drops a copy of the .EML file into the folder where the infected .HTML file is found. The infected HTML file is detected as JS_NIMDA.A.
  • Adds a script line to the infected HTML file to execute the embedded malicious .EML file when the infected HTML file is opened and viewed. This action guarantees continuous infection and increases security risk of the infected system. 
  • This  registry entry signifies that this file infector is present on the system  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF 
 Prevention:
  • Do not download any unknown things from the websites.
  • Do not click on any unknown links
  • Do not open any unknown email attachments
  • Update your anti-virus scanning engines regularly with the definition updates.
Removal:
  • Disable System Restore
  • Remove malware files dropped/downloaded by PE_PARITE.A by searching for them.
             JS_SHELLCOD.SMGU          JS_NIMDA.A         PE_PARITE.A-O 
  • Delete the Registry key 
           HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer 
           PINF
  • Scan your PC with a Good Anti-Virus after updating its definitions.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More