Virus

W32/Jeefo.A

Analysis


  • This is a 32-bit virus with an infection size of 36,352 bytes.

  • When executed, it drops an infectious binary into the Windows folder as svchost.exe. On Windows NT/2000/XP systems, it registers this file to run as a service at startup.

  • Under Windows NT/2000/XP, the virus uses imports from ADVAPI32.DLL  in order to create and initiate itself to run as a service. The service listed as Power Manager  will be visible via the Administrator Tools / Services applet. Below are properties of the service created by this virus:
    • Display Name: Power Manager
    • Description: Manages the power save features of the computer
    • Path to executable: undefinedWindowsundefined\svchost.exe
    • Startup type: Automatic
    • Log on as: Local System account
    • Dependencies: <No Dependencies>

  • While the virus runs as a service, it slowly infects other 32-bit PE files on the system by prepending its code to the target files.

  • When the virus creates a service, the following keys are created in the system registry:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POWERMANAGER
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POWERMANAGER\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POWERMANAGER\0000\Control
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager\Security
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000\Control
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerManager
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerManager\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerManager\Security

  • The above listed keys are populated with data referencing how the virus will load and the location of the file as in the following example:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager\
    "Description" = Manages the power save features of the computer.
    "DisplayName" = Power Manager
    "ErrorControl" = 00, 00, 00, 00
    "ImagePath" = C:\WINNT\svchost.exe
    "ObjectName" = LocalSystem
    "Start" = 02, 00, 00, 00
    "Type" = 10, 00, 00, 00

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager\Enum\
    "0" = Root\LEGACY_POWERMANAGER\0000
    "Count" = 01, 00, 00, 00
    "NextInstance" = 01, 00, 00, 00

  • The virus contains the string Ijeefo!Esbhpo! in its code.

Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.