Tuesday, June 03, 2008

Virus.Win32.Parite.b : Remove viruses and worms with ease and passion

 Virus.Win32.Parite.b : Remove viruses and worms with ease and passionNot again badly that my system got infected by something that resides at temporary folder with name ena1.tmp having size 172KB, sometimes the name ena1.tmp got itself replaced with other name. Whatever, not lately I restored off my system and scanned using the beta version of Kaspersky Antivirus 8, and the whole lot infected virus was determined to be Virus.Win32.Parite.b which was a step ahead from its parent Virus.Win32.Parite.a both of these are purely parasitic viruses which modify the code of the infected file. The infected file remains partially or fully functional.

The KAV displayed the following notice every time the infected file/folder was scanned.

Detected
--------
Status     Object
------       ------
will be deleted when the computer is restarted: virus Virus.Win32.Parite.b File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ena1.tmp//UPX

To the sadness after the complete scanning and rebooting the system the virus was still resided at the %temp% folder. Later delving thoroughly, it was found that the virus Virus.Win32.Parite.b replicated itself into the System Volume Information system folder of the local drive and the pen drive as well. Surprisingly, in my JetFlash V110 pendrive there used to be no such system folder as System Volume Information. And with no further lingering, I just deleted it using TuneUp Shredder and all such unwanted files were deleted successfully, and finally a decisive full system scan was done to eliminate all the infected files and the virus itself.

continue reading and exploring full source code of the virus below

Malware Descriptions / Parasitic Classic Viruses section of the viruslist.com writes on parasitic viruses Virus.Win32.Parite.b as

Parasitic viruses modify the code of the infected file. The infected file remains partially or fully functional.

Parasitic viruses are grouped according to the section of the file they write their code to:

  • Prepending: the malicious code is written to the beginning of the file
  • Appending: the malicious code is written to the end of the file
  • Inserting: the malicious code is inserted in the middle of the file

Inserting file viruses use a variety of methods to write code to the middle of a file: they either move parts of the original file to the end or copy their own code to empty sections of the target file. These are sometimes called cavity viruses.

File and Boot Viruses here is very useful information on aliases and coding of the virus we are dealling with:

Virus.Win32.Parite.b (Kaspersky Lab) is also known as: Win32.Parite.b (Kaspersky Lab), W32/Pate.b (McAfee),   W32.Pinfi (Symantec),   Win32.Parite.2 (Doctor Web),   W32/Parite-B (Sophos),   Win32/Parite.B (RAV),   PE_PARITE.A (Trend Micro),   W32/Parite (H+BEDV),   W32/Parite.B (FRISK),   Win32:BackDoor-Servu (ALWIL),   Win32/Parite (Grisoft),   Backdoor.FtpUServ.A (SOFTWIN),   W32/Parite.B (Panda),   Win32/Parite.B (Eset)

This parasitic memory resident virus is functionally identical to Win32.Parite.a. It differs from Parite.a only in the key that it creates in the system registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]

Details of Virus.Win32.Parite.a (Kaspersky Lab) is also known as: Win32.Parite.a (Kaspersky Lab), W32/Pate.a (McAfee),   W32.Spybot.Worm (Symantec),   Win32.Parite.1 (Doctor Web),   W32/Parite-A (Sophos),   Win32/HLLW.SpyBot (RAV),   PE_PARITE.A (Trend Micro),   W32/Parite (H+BEDV),   W32/Spybot.IA (FRISK),   Win32:SpyBot-GEN (ALWIL),   Win32/Parite (Grisoft),   Win32.Parite.A (SOFTWIN),   Trojan.Spybot.gen-3 (ClamAV),   W32/Spybot.BE.worm (Panda),   Win32/Parite.A (Eset)

The virus consists of a dropper, which is witten in assembler, and the virus part itself, written in Borland C++.  When an infected file is launched, the control flow is passed to the virus dropper, which writes the virus to a temporary file and executes its infection procedure. The virus searches for Win32 EXE PE files with .scr and .exe extensions on all logical drives of computer, and also in shared resources of local network, and infects them.

The virus doesn't manifest itselfs presence in any way. The structure of infected file looks like this:

Host file
Virus
dropper - drops "main" to TEMP dir and executes it.
main - searches for files and infects them, e.t.c.

The AutoRun.inf file contained the following code, think this is system dependent and further it directly attacks the system shell command.

[AutoRun]
open=
shell\open\Command=System~1\com1.{29ec2020-4aea-1069-a2dd-08002b40409d}\ntldr.pif
shell\open\Default=1
shell\explore\Command=System~1\com1.{29ec2020-4aea-1069-a2dd-08002b40409d}\ntldr.pif

In actual, the above code won't be functional as I have changed the values in brackets. This is all about how the virulent code looks like.

The virus treated report from Kaspersky Antivirus 8 Beta Version

Detected
--------
Status Object
------ ------
deleted:
virus Packed.Win32.PolyCrypt.b File: J:\portables\proceeded\processed\Boss.exe/bossinv.exe
deleted:
Trojan program Backdoor.Win32.Skrat.e File: J:\processed\setup - mbhttpbf.exe//data0001
deleted:
malware HackTool.Win32.VB.ao File: J:\setup - mbhttpbf.exe//data0003
deleted:
Trojan program Trojan-Spy.Win32.WebPageRecorder.b File: J:\setup - Stealth Web Page Recorder.exe/WebPageRecorder.exe
deleted:
Trojan program Trojan-PSW.Win32.XPassLogger File: J:\ \portables\proceeded\processed\setup - XP Login Password.exe/kbfiltr.sys
deleted:
virus Packed.Win32.PolyCrypt.b File: J:\ \processed\Blazing Invisible Boss.exe/bossinv.exe
deleted:
Trojan program Trojan-PSW.Win32.Agent.eb File: J:\ \processed\Girls_boys.exe
deleted:
malware Nuker.Win32.Small.b File: J:\ \processed\send messages to IP.exe//UPX//Autoit
deleted:
Trojan program Backdoor.Win32.Skrat.e File: J:\ \processed\setup - mbhttpbf.exe//data0001
deleted:
malware HackTool.Win32.VB.ao File: J:\ \processed\setup - mbhttpbf.exe//data0003
deleted:
Trojan program Trojan-Spy.Win32.WebPageRecorder.b File: J:\ \processed\setup - Stealth Web Page Recorder.exe/web.dll
detected:
riskware not-a-virus:RiskTool.Win32.HideWindows File: G:\AUTOPLAY\DOCS\COMMON\CMDOW.EXE
deleted:
Trojan program Trojan-PSW.Win32.XPassLogger File: J:\ \processed\setup - XP Login Password.exe/kbfiltr.sys

More more studies:

0 responses:

Post a Comment

Thanking you for your comment(s). Hope you will visit this blog again!

Subscribe to geeklog feed Bookmark and Share

Design by Free blogger template