W32/Parite.B

PE_PARITE.A (Trend) W32.Pinfi (Symantec) W32/Parite-B (Sophos) Win32.Pinfi.A (CA) W32/Parite.B (F-Prot) W32/Parite.B (Panda) Win32.Parite.b (AVP)

Type: Win32 polymorphic fileinfector virus
Affects: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP

Upon infection the virus adds a new section (this section is randomly named with 3 letters followed by the ASC-II character 07) to the host file, which contains the main viral code in encrypted form. This file is later dropped as a randomly named temp-file into the TEMP folder using windows API function to retrieve this path.

The temp-file (around 172Kb in size) is injected into Windows Explorer. This means that if Explorer runs, the virus stays active in memory.

The virus takes the Original Entry Point (OEP) from the infected file out of the Fileheader, encrypts the old Entry Point with a randomly generated 32bit value, and stores this calculated entrypoint value in the encrypted last section of the file, where the virus writes itself.

It needs the original entry point to execute an infected file after the viral code has been executed – otherwise infected programs would not be able to run after the virus runs.

Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

The virus creates the following Registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF

Parite uses 2 different, randomly generated, 32bit values, at 2 random addresses in the original host file, and it overwrites these addresses if the file does not run.
If the infected file is active, the virus restores this data out of the encrypted section into the program code. This is a special mechanism to make the cleaning of infected files more difficult.
The virus enumerates and scans all network shares and tries to infect all Windows32 executables and screensaver files.

Other Details

The polymorphic Dropper is written using TASM, and the virus part itself is written with Borland C++ and packed with UPX, a executable file compressor.

 

 

V3로 치료되지 않는다(고 한다. 본인은 V3를 사용하지 않고 NOD32를 사용한다). 2008년 2월 14일. 그러나 그 이후는 잘 모르겠다.

Kaspersky와 NOD32는 확실히 잡아내는것 같다.

Advertisements

답글 남기기

아래 항목을 채우거나 오른쪽 아이콘 중 하나를 클릭하여 로그 인 하세요:

WordPress.com 로고

WordPress.com의 계정을 사용하여 댓글을 남깁니다. 로그아웃 / 변경 )

Twitter 사진

Twitter의 계정을 사용하여 댓글을 남깁니다. 로그아웃 / 변경 )

Facebook 사진

Facebook의 계정을 사용하여 댓글을 남깁니다. 로그아웃 / 변경 )

Google+ photo

Google+의 계정을 사용하여 댓글을 남깁니다. 로그아웃 / 변경 )

%s에 연결하는 중