WIN32.HEZHI

Yep...I got it, don't know how or with what !!
I'm finding it difficult to find info on this one. A worm, virus, trojan maybe?
Any info would be greatly appreciated. I managed to get rid of it, but I would like to know what keys to look for !!

Regards,
bill

 

Re: Pete

Bill - What AV or AT program identified it to start with?

No cross-references in their DB such as 'Also known as...' by other vendors? Pete

 

Symantec:
http://securityresponse.symantec.com/avcenter/venc/dyn/33222.html

W32.Hezhi
Detected as:   W32.Hezhi
Aliases:   None
Area of Infection:   .EXE Files
No additional information

[hr]

TrendMicro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_HEZHI.A&VSect=T

In the wild:   No
Payload 1:   Modifies Files (increases file size)
Trigger condition 1:   Upon execution
Discovered:   May. 22, 2002
Detection available:    May. 29, 2002
Detected by pattern file #:   290
(still using 900-series pattern files?)
Detected by scan engine #:    5.200
Language:   English
Platform:   Windows
Encrypted:   No
Size of virus:   12,800 Bytes
Details:
This polymorphic file infector uses an Entry Point Obscuring (EPO)method to infect target files. Upon execution, it infects Windows executables files and then stays resident in memory to infect other executable files that the infected user runs.
To infect, it replaces the first 512 Bytes of the entry point section of the target file with its EPO code. It saves the original 512 Bytes and encrypts it in the virus body. It then attaches itself at the last section of the infected file.
This virus uses five levels of encryption to avoid detection. It uses anti-debugging techniques so that it is harder to trace and analyze.
This virus can infect .EXE files on network shared drives with read and write access.
Description created: May. 29, 2002

 

Which av software reported this virus?
Which files (including pathname) are infected?
What is the version of your av software?
What is the date of the used signature files?
If available what is the version number of the scan engine?

wizard

 

I'm using Dr Web 4.28, with the very latest updates. Engine 4.28a.
I'm thinking my son may have downloaded it, but I can't find the original file.
Here is a couple of files that were infected:
c:\windows\logos.sys
\dxtmsft3.dll
\lmrt.dll
\mdmrock2.cat
\catalog3.cab
And also a few .dll's linked to Realplayer and a few of my games. Also, in the infected file log was an IE page in the temp files. Odd or what ?
thanks,
bill

 

Hi,

Infects only *.exe, non destructive

No problem if it's only in your internet Temp files : just clean it.

Rgds,

JacK

 

Hi eyespy,

According to the description of TrendMicro the virus can only infect *.exe files but on your maschine there are a couple of other file types infected as well. I think it might be a false positive. To make sure if this is a real infection or not send the files to the DrWeb team to cross check. EMail is: Antivir@Dials.ru

wizard

 

That's a good idea.
TY Wiz !
bill