1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Jeefo Activity

System Infected: W32.Jeefo Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects activities of security risk W32.Jeefo.

Additional Information

W32.Jeefo is a Windows Portable Executable (PE) file infector. Files infected by W32.Jeefo increase in size by 36,352 bytes.

W32.Jeefo detection is provided both for the W32.Jeefo stand-alone, first-generation executable and for a host application, which is infected with W32.Jeefo.

W32.Jeefo infects the host application in three steps. The virus:

1. Imports the host's resources.
2. Encrypts data that represents the host application with the stripped resources.
3. Appends this particular data to the newly constructed executable.


If W32.Jeefo detects that it is an infected host application, it will do the following:

1. Reconstruct the first-generation W32.Jeefo executable.
2. Drop it as Svchost.exe (36,352 bytes) into the %Windir% folder.
Then, the dropped file will be run with the program parameter that specifies an infected application, which has dropped and run Svchost.exe.
3. It will quit.


When svchost.exe (the first-generation W32.Jeefo executable) runs, it checks whether the program parameter specifies an infected application. If it detects that another application dropped and ran it, and that the application contains the following infection marker at a fixed file offset:

Hidden Dragon virus. Born in a tropical swamp.

it will perform the following actions:

1. Waits until the infected host quits so that its file is unlocked.
2. Reconstructs the original host by detaching appended data, decoding it, and moving the resources back to it.
3. Runs the reconstructed executable that does not contain W32.Jeefo code.


In other words, when an application infected with W32.Jeefo is executed, the dropped W32.Jeefo first-generation program repairs it.

If the operating system is Windows 95/98/Me, the first-generation W32.Jeefo performs the following actions:

1. Registers itself as a service process to hide itself from the task list.

2. Creates the value:

"PowerManager"="%windir%\svchost.exe"

in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices

so that the virus starts when you start or restart Windows 95/98/Me.

NOTE: %Windir% is a variable. W32.Jeefo locates the Windows main installation folder (by default this is C:\Windows or C:\Winnt) and uses it as a destination folder.

If the operating system is Windows NT/2000/XP, the first-generation W32.Jeefo performs the following actions:

1. Installs itself as the service, "Power Manager". The description of this service is "Manages the power save features of the computer."

2. Creates the PowerManagerMutant mutex. This mutex allows only one instance of the virus to execute in memory.

Finally, W32.Jeefo initiates the infection routine that will enumerate and infect the Windows PE files.

NOTE: The first generation W32.Jeefo (36,352 bytes) will grow in size by the amount of resources imported from the host application.
As the host application is appended with its resources stripped, the W32.Jeefo infection increases the file size of the host by 36,352 bytes.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected as W32.Jeefo.
5. Delete the value that was added to the registry (Windows 95/98/Me).
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube