The KAV displayed the following notice every time the infected file/folder was scanned.
will be deleted when the computer is restarted: virus Virus.Win32.Parite.b File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ena1.tmp//UPX
To the sadness after the complete scanning and rebooting the system the virus was still resided at the %temp% folder. Later delving thoroughly, it was found that the virus Virus.Win32.Parite.b replicated itself into the System Volume Information system folder of the local drive and the pen drive as well. Surprisingly, in my JetFlash V110 pendrive there used to be no such system folder as System Volume Information. And with no further lingering, I just deleted it using TuneUp Shredder and all such unwanted files were deleted successfully, and finally a decisive full system scan was done to eliminate all the infected files and the virus itself.
continue reading and exploring full source code of the virus below
Malware Descriptions / Parasitic Classic Viruses section of the viruslist.com writes on parasitic viruses Virus.Win32.Parite.b as
Parasitic viruses modify the code of the infected file. The infected file remains partially or fully functional.
Parasitic viruses are grouped according to the section of the file they write their code to:
- Prepending: the malicious code is written to the beginning of the file
- Appending: the malicious code is written to the end of the file
- Inserting: the malicious code is inserted in the middle of the file
Inserting file viruses use a variety of methods to write code to the middle of a file: they either move parts of the original file to the end or copy their own code to empty sections of the target file. These are sometimes called cavity viruses.
File and Boot Viruses here is very useful information on aliases and coding of the virus we are dealling with:
Virus.Win32.Parite.b (Kaspersky Lab) is also known as: Win32.Parite.b (Kaspersky Lab), W32/Pate.b (McAfee), W32.Pinfi (Symantec), Win32.Parite.2 (Doctor Web), W32/Parite-B (Sophos), Win32/Parite.B (RAV), PE_PARITE.A (Trend Micro), W32/Parite (H+BEDV), W32/Parite.B (FRISK), Win32:BackDoor-Servu (ALWIL), Win32/Parite (Grisoft), Backdoor.FtpUServ.A (SOFTWIN), W32/Parite.B (Panda), Win32/Parite.B (Eset)
This parasitic memory resident virus is functionally identical to Win32.Parite.a. It differs from Parite.a only in the key that it creates in the system registry:
Details of Virus.Win32.Parite.a (Kaspersky Lab) is also known as: Win32.Parite.a (Kaspersky Lab), W32/Pate.a (McAfee), W32.Spybot.Worm (Symantec), Win32.Parite.1 (Doctor Web), W32/Parite-A (Sophos), Win32/HLLW.SpyBot (RAV), PE_PARITE.A (Trend Micro), W32/Parite (H+BEDV), W32/Spybot.IA (FRISK), Win32:SpyBot-GEN (ALWIL), Win32/Parite (Grisoft), Win32.Parite.A (SOFTWIN), Trojan.Spybot.gen-3 (ClamAV), W32/Spybot.BE.worm (Panda), Win32/Parite.A (Eset)
The virus consists of a dropper, which is witten in assembler, and the virus part itself, written in Borland C++. When an infected file is launched, the control flow is passed to the virus dropper, which writes the virus to a temporary file and executes its infection procedure. The virus searches for Win32 EXE PE files with .scr and .exe extensions on all logical drives of computer, and also in shared resources of local network, and infects them.
The virus doesn't manifest itselfs presence in any way. The structure of infected file looks like this:Host file
dropper - drops "main" to TEMP dir and executes it.
main - searches for files and infects them, e.t.c.
The AutoRun.inf file contained the following code, think this is system dependent and further it directly attacks the system shell command.
In actual, the above code won't be functional as I have changed the values in brackets. This is all about how the virulent code looks like.
The virus treated report from Kaspersky Antivirus 8 Beta Version
deleted: virus Packed.Win32.PolyCrypt.b File: J:\portables\proceeded\processed\Boss.exe/bossinv.exe
deleted: Trojan program Backdoor.Win32.Skrat.e File: J:\processed\setup - mbhttpbf.exe//data0001
deleted: malware HackTool.Win32.VB.ao File: J:\setup - mbhttpbf.exe//data0003
deleted: Trojan program Trojan-Spy.Win32.WebPageRecorder.b File: J:\setup - Stealth Web Page Recorder.exe/WebPageRecorder.exe
deleted: Trojan program Trojan-PSW.Win32.XPassLogger File: J:\ \portables\proceeded\processed\setup - XP Login Password.exe/kbfiltr.sys
deleted: virus Packed.Win32.PolyCrypt.b File: J:\ \processed\Blazing Invisible Boss.exe/bossinv.exe
deleted: Trojan program Trojan-PSW.Win32.Agent.eb File: J:\ \processed\Girls_boys.exe
deleted: malware Nuker.Win32.Small.b File: J:\ \processed\send messages to IP.exe//UPX//Autoit
deleted: Trojan program Backdoor.Win32.Skrat.e File: J:\ \processed\setup - mbhttpbf.exe//data0001
deleted: malware HackTool.Win32.VB.ao File: J:\ \processed\setup - mbhttpbf.exe//data0003
deleted: Trojan program Trojan-Spy.Win32.WebPageRecorder.b File: J:\ \processed\setup - Stealth Web Page Recorder.exe/web.dll
detected: riskware not-a-virus:RiskTool.Win32.HideWindows File: G:\AUTOPLAY\DOCS\COMMON\CMDOW.EXE
deleted: Trojan program Trojan-PSW.Win32.XPassLogger File: J:\ \processed\setup - XP Login Password.exe/kbfiltr.sys
More more studies:
Choose an apt security software for you, read Reinvesting in Security? THINK ONCE AGAIN!
Don't forget to read the discussion on Getting rid of Kinza virus : How do I remove kinza virus?