Tuesday, February 10, 2009

Win32.Jeefo.A - virus

Win32.Jeefo.A
Date Published:16 Jun 2003
Last Updated:23 Jun 2003

Type : Virus
Category : Win32
Also known as: Win32.Hidrag (Kaspersky), Win32/HLLP.Jeefo.A, W32/Jeefo (McAfee), W32.Jeefo (Symantec), PE_JEEFO.A (Trend)

Win32.Jeefo.A is a virus that infects PE files.
Once activated, it copies itself as SVCHOST.EXE to the Windows directory, launches it as a separate process, then passes control back to the host program. The virus then installs itself as a service to stay in memory. The following registry key is created on Win9x systems:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\PowerManager, = "%Windows%\SVCHOST.EXE"
On Win2k, the service name is "Power Manager":
HKLM\System\CurrentControlSet\Services\PowerManager\ImagePath, "%Windows%\svchost.exe"
Note that SVCHOST.EXE is a valid system filename that exists in the System directory. The virus-created SVCHOST.EXE contains only the virus itself and is 36,352 bytes in size.
The virus searches drive letters C to Z for fixed disks. Once found, all directories are searched for suitable PE file to infect. Infected files increase 36,352 bytes in size, but the last modified date and time remains the same.
The virus body contains the following hidden message (although this is never displayed to the user):
"Hidden Dragon virus. Born in a tropical swamp"
-
only for information purpose

No comments:

Post a Comment