Win32.Fosforo.A

( N/A )

SYMPTOMS:

N/A

TECHNICAL DESCRIPTION:

The virus uses the EPO (Entry Point Obscurity) technique to make detection harder - that is, replaces an API call with a call to its code. It appends itself at the end of the file, and is encrypted with a primitive method. It has also an anti-debug trick that would cause a stack overflow.

The virus infects most of PE files in current directory, as well as Windows and System directories. It doesn\'t infect files that have V as the first or second letter, or files whose name begin with "F-". The virus may infect incorrectly some files and so they may not run. Infected files also have the file PE structure corrupt in the last part, and may give a not-enough-memory message when ran.

On the date of 12 July of any year, infected applications hang if ran.

Removal instructions:

1. If you don't have BitDefender installed click here to download an evaluation version;


2. Make sure that you have the latest updates using BitDefender Live!;


3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Fosforo.A.

ANALYZED BY:

Mihai Neagu BitDefender Virus Researcher