WIN32.HEZHI

Discussion in 'malware problems & news' started by eyespy, Jun 21, 2002.

Thread Status:
Not open for further replies.
  1. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Yep...I got it, don't know how or with what !! :mad:
    I'm finding it difficult to find info on this one. A worm, virus, trojan maybe?
    Any info would be greatly appreciated. I managed to get rid of it, but I would like to know what keys to look for !!

    Regards,
    bill
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Pete

    Bill - What AV or AT program identified it to start with?

    No cross-references in their DB such as 'Also known as...' by other vendors? Pete
     
  3. FanJ

    FanJ Guest

    Symantec:
    http://securityresponse.symantec.com/avcenter/venc/dyn/33222.html

    W32.Hezhi
    Detected as:   W32.Hezhi
    Aliases:   None
    Area of Infection:   .EXE Files
    No additional information

    [hr]

    TrendMicro:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_HEZHI.A&VSect=T

    In the wild:   No
    Payload 1:   Modifies Files (increases file size)
    Trigger condition 1:   Upon execution
    Discovered:   May. 22, 2002
    Detection available:    May. 29, 2002
    Detected by pattern file #:   290
    (still using 900-series pattern files?)
    Detected by scan engine #:    5.200
    Language:   English
    Platform:   Windows
    Encrypted:   No
    Size of virus:   12,800 Bytes
    Details:
    This polymorphic file infector uses an Entry Point Obscuring (EPO)method to infect target files. Upon execution, it infects Windows executables files and then stays resident in memory to infect other executable files that the infected user runs.
    To infect, it replaces the first 512 Bytes of the entry point section of the target file with its EPO code. It saves the original 512 Bytes and encrypts it in the virus body. It then attaches itself at the last section of the infected file.
    This virus uses five levels of encryption to avoid detection. It uses anti-debugging techniques so that it is harder to trace and analyze.
    This virus can infect .EXE files on network shared drives with read and write access.
    Description created: May. 29, 2002
     
  4. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Which av software reported this virus?
    Which files (including pathname) are infected?
    What is the version of your av software?
    What is the date of the used signature files?
    If available what is the version number of the scan engine?

    wizard
     
  5. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    I'm using Dr Web 4.28, with the very latest updates. Engine 4.28a.
    I'm thinking my son may have downloaded it, but I can't find the original file.
    Here is a couple of files that were infected:
    c:\windows\logos.sys
    \dxtmsft3.dll
    \lmrt.dll
    \mdmrock2.cat
    \catalog3.cab
    And also a few .dll's linked to Realplayer and a few of my games. Also, in the infected file log was an IE page in the temp files. Odd or what ?
    thanks,
    bill o_O
     
  6. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi,

    Infects only *.exe, non destructive

    No problem if it's only in your internet Temp files : just clean it.

    Rgds,

    JacK :cool:
     
  7. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Hi eyespy,

    According to the description of TrendMicro the virus can only infect *.exe files but on your maschine there are a couple of other file types infected as well. I think it might be a false positive. To make sure if this is a real infection or not send the files to the DrWeb team to cross check. EMail is: Antivir@Dials.ru

    wizard
     
  8. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    That's a good idea.
    TY Wiz !
    bill ;)
     
Thread Status:
Not open for further replies.