Documente online.
Username / Parola inexistente
  Zona de administrare documente. Fisierele tale  
Am uitat parola x Creaza cont nou
  Home Exploreaza
Upload






























W32/Jeefo-A infects Windows PE executables with an extension of EXE and a filesize greater than 102,399 bytes, in all folders of all fixed drives C: to Z:

Informatica


Dupa ce 6 antivirusi au gasit virusul (W32.Hidrag-A, W32/Jeefo-A), dar nu l-au putut indeparta, iata cum am facut:

1. Downloadeaza jeefosfx.exe (https://www.sophos.com/support/cleaners/jeefosfx.exe) si jeefogui.com (https://www.sophos.com/support/cleaners/jeefogui.com);
2. Extrage jeefocli.exe in cale implicita (C:\Sophtemp) si copiaza jeefogui.com in acest director;
3. Boot in SafeMode;
4. Run - cmd;
5. cd sophtemp;
6. jeefocli.exe

Asta este tot!



ziemenz

Problema voastra se putea rezolva super simplu. Jeefo infecteaza numai executabilii ... daca incerci cu norton 2004 pro sau bit mai rau tii strica. Cauti pe google "jeefo antivirus" si o sa gasesti "jeefosfx.exe" include antivirusul si cateva instructiu 131s1821b ni. Dai un restart si pornesti in SAFE MODE ... dai drumu la antivirus , "jeefo.cli" parca se numea. Prima oara o sa stearga VHOST din windows.VHOST este principala cale de raspandire.Restu` e floare la ureche. Bafta


dan666

are doua module,unu este ptr dos;se numesc jeefoguy.com si jeefosfx.exe
le-am luat de pe sophos.com parca....

https://www.sophos.com/virusinfo/analyses/w32jeefoa.html

W32/Jeefo-A infects Windows PE executables with an extension of EXE and a filesize greater than 102,399 bytes, in all folders of all fixed drives C: to Z:.

The virus runs continuously in the background, infecting files at periodic intervals.

When an infected file is run, the virus dropper is extracted to the Windows folder as SVCHOST.EXE and the virus disinfects the host executable, although not all infected files will be successfully returned to their original state.

Under Windows 95/98/Me the virus creates the following registry entries so that the virus is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
PowerManager= <pathname of virus>

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
PowerManager= "C:\<Windows>\SVCHOST.EXE"

Under Windows NT based systems (Windows NT/2000/XP) the virus creates a service named PowerManager with the startup type set to automatic, so that the virus is run automatically on startup.

https://www.viruslist.com/en/viruslist.html?id=61035

Win32.Hidrag

Aliases Win32.Hidrag (Kaspersky Lab) is also known as: W32/Jeefo (McAfee), W32.Jeefo (Symantec), Win32.HLLP.Jeefo.36352 (Doctor Web), W32/Jeefo-A (Sophos), Win32/HLLP.Jeefo (RAV), PE_JEEFO.A (Trend Micro), W32/Jeefo (H+BEDV), W32/Jeefo.A (FRISK), Win32:Jeefo (ALWIL), Win32/Hidrag.A (Grisoft), Win32.Jeefo.A (SOFTWIN)

Technical Details

Hidrag is a non-dangerous memory resident parasitic Win32 virus. The virus infects Win32 PE EXE files. While infecting the virus encrypts a block of victim files.

When the Hidrag virus runs it creates a copy of itself that is about 36K in size and places it in the Windows directory using the name svchost.exe. Next Hidrag registers this file in the system registry auto-run key:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

PowerManager = %WindowsDir%\SVCHOST.EXE

Hidrag then stays in Windows memory as an active process, searches for EXE files on all drives - starting with the C: drive - and infects them.

The virus does not manifest itself in any way.

The virus contains the following encrypted text strings:



Hidden Dragon virus. Born in a tropical swamp.

PowerManagerMutant

https://www.bitdefender.ro/bd/site/search.php

Nume:

Win32.Jeefo.A

Alias:

Win32.Jeffo.A

Tip:

Executable Infector

Marime:

36.352 bytes, written in MinGW

Descoperit:

Detectat:

Raspandire:

Medie

Risc:

Mediu

ITW:

Da

Simptome:
- Presence of the file "svchost.exe" in the Windows directory
- Under Windows 9x/Me, the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices contains the value "PowerManager" which points to "svchost.exe"
- Under Windows NT/2000/XP, presence of the "Power Manager" service. This service has the description: 'Manages the power save features of the computer.'
Descriere tehnica: This executable file infector is written in MinGW and presents a very interesting (and difficult to disinfect) infection technique. It contains various strings, encrypted with a trivial algorithm:
.text:004012B0 decryption_loop:
.text:004012B0 mov cl, [edx+ebx]
.text:004012B3 dec cl
.text:004012B5 mov [edx+eax], cl
.text:004012B8 inc edx
.text:004012B9 cmp edx, edi
.text:004012BB jl short decryption_loop

When an infected file is executed for the first time, the virus receives control and dumps a copy of itself in the Windows directory as svchost.exe and registeres itself to be executed at every system startup: under Windows 9x/Me it adds a key to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices; under NT/2000/XP, it creates a service called "Power Manager".

The file infection algorithm is complex; in some cases, infected files get corrupted (the virus is not capable of handling certain resource types).

The infected file has the following layout:
1) Virus
2) Original file's resources (bitmaps, icons, etc) -> thus the infected file has the same main icon as the original file
3) Original file chunks - encrypted

The disinfection routine decrypts the file chunks, re-links the file, adds the resources and re-locates them to the new relative virtual address. Resource relocation is tricky and in some cases may cause the virus to fail (crash); however, these files are correctly disinfected by BitDefender.

The virus contains the following text string: "Hidden Dragon virus. Born in a tropical swamp." encrypted with the same trivial encryption algorithm as above. When encrypted, the word "hidden" is transformed to "iJeefo" (this is where this virus got his name from).

Instructiuni de dezinfectie:
Let BitDefender disinfect the files it found infected. When BitDefender encounters the "host" file (pure virus dropper), it will automatically delete it.

Utilitar de dezinfectie:
N/A

Virus analizat de:
BitDefender AV Research Team





Document Info


Accesari: 3127
Apreciat: hand-up

Comenteaza documentul:

Nu esti inregistrat
Trebuie sa fii utilizator inregistrat pentru a putea comenta


Creaza cont nou

A fost util?

Daca documentul a fost util si crezi ca merita
sa adaugi un link catre el la tine in site


in pagina web a site-ului tau.




eCoduri.com - coduri postale, contabile, CAEN sau bancare

Politica de confidentialitate | Termenii si conditii de utilizare




Copyright © Contact (SCRIGROUP Int. 2024 )