Win32.jeefo.A - the executable with NEW svchost.exe and some .text ...

Discussion in 'malware problems & news' started by PROROOTECT, Apr 1, 2009.

Thread Status:
Not open for further replies.

    PROROOTECT Registered Member

    May 5, 2008
    HERE ...Fort Lee, NJ
    Yes, presence of new file 'svchost.exe' in the Windows directory.

    Under Windows XP, presence of the 'Power Manager' service. This service has the description: 'Manages the power save features of the computer.'

    This executable file infector is written in MinGW and presents a VERY interesting (and DIFFICULT TO DISINFECT) infection technique.

    The file infection algorithm is complex; in some cases, infected files get corrupted.

    The infected file has the following layout:
    1) Virus
    2) Original file\'s resources (bitmaps, icons, etc) thus the infected file has the same main icon as the original file
    3) Original file chunks - encrypted.

    The virus contains the following text string: 'Hidden Dragon virus. Born in a tropical swamp.' encrypted ... When encrypted, the word 'hidden' is transformed to 'iJeefo' (this is where this virus got his name from).

    Hmmm ...:thumb: :doubt:

    Yours PROROOTECT tropical :argh: connexion
Thread Status:
Not open for further replies.