My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Jeefo.A

MEDIUM
MEDIUM
36.352 bytes, written in MinGW
(Win32.Jeffo.A)

Symptoms

- Presence of the file "svchost.exe" in the Windows directory
- Under Windows 9x/Me, the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices contains the value "PowerManager" which points to "svchost.exe"
- Under Windows NT/2000/XP, presence of the "Power Manager" service. This service has the description: 'Manages the power save features of the computer.'

Removal instructions:

Let BitDefender disinfect the files it found infected. When BitDefender encounters the "host" file (pure virus dropper), it will automatically delete it.

Analyzed By

BitDefender AV Research Team

Technical Description:

This executable file infector is written in MinGW and presents a very interesting (and difficult to disinfect) infection technique. It contains various strings, encrypted with a trivial algorithm:

.text:004012B0 decryption_loop:
.text:004012B0 mov cl, [edx+ebx]
.text:004012B3 dec cl
.text:004012B5 mov [edx+eax], cl
.text:004012B8 inc edx
.text:004012B9 cmp edx, edi
.text:004012BB jl short decryption_loop

When an infected file is executed for the first time, the virus receives control and dumps a copy of itself in the Windows directory as svchost.exe and registeres itself to be executed at every system startup: under Windows 9x/Me it adds a key to HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\RunServices; under NT/2000/XP, it creates a service called "Power Manager".

The file infection algorithm is complex; in some cases, infected files get corrupted (the virus is not capable of handling certain resource types).

The infected file has the following layout:
1) Virus
2) Original file\'s resources (bitmaps, icons, etc) -> thus the infected file has the same main icon as the original file
3) Original file chunks - encrypted

The disinfection routine decrypts the file chunks, re-links the file, adds the resources and re-locates them to the new relative virtual address. Resource relocation is tricky and in some cases may cause the virus to fail (crash); however, these files are correctly disinfected by BitDefender.

The virus contains the following text string: "Hidden Dragon virus. Born in a tropical swamp." encrypted with the same trivial encryption algorithm as above. When encrypted, the word "hidden" is transformed to "iJeefo" (this is where this virus got his name from).