Dr.Web Anti-virus protects peer-to-peer networks from a dangerous polymorphic Win32.Polipos
April 19, 2006
Virus monitoring service of Doctor Web, Ltd. warns users of peer-to-peer networks on a dangerous polymorphic virus named Win32.Polipos which emerged around a months ago and is actively propagating in different file sharing networks.
The propagation of Win32.Polipos began in March. It was added to Dr.Web virus base on March 20, 2006 and then it is no longer a danger for users of Dr.Web Anti-virus.
Apart from the complicated polymorphic technique used by the virus writer, the virus also has a dangerous function of “neutralizing" certain antivirus and security programs. Fluently spreading across P2Ps, the virus infiltrates computers connected to these networks and, being run, secretly makes them accessible to public of P2P-networks.
The virus infected Windows executables by writing the code of the polymorphic decoder into unused spaces of code sections, as if “covering the body of the victim with own spots”. When doing this, the virus creates a new section and places there its main encoded code, moving the resource section, if any exists, below. When implanting into a file it does not modify the original entry point, but replaces addresses of calls of API, selected at random, with the start address of the virus.
When the virus is launched, it implants its code into all run processes, except for the following:
savedump, dumprep, dwwin, drwtsn32, drwatson, kernel32.dll
smss, csrss, spoolsv, ctfmon, temp
Thus, several copies of the virus stay in the computer memory, each of them is responsible for a definite activity, for example search for files for infection, infection of files, interaction with P2Ps based on Gnutella networks, etc. Infected files become open for members of this network.
Resident copies of Win32.Polipos intercept the following API functions -
ExitProcess, CreateProcess, CreateFileA, LoadLibraryExA, SearchPathA,
CreateProcessW, CreateFileW, LoadLibraryExW, SearchPathW. When any of these functions is called, new files get infected. When the control is passed to a victimized file with overlays (sfx-archives, installation files , etc.) the virus tries to create the original copy of file in the temporary directory with the name ptf*.tmp and runs it. This is done to evade the integrity check used by certain installers.
The spread of such virus undoubtly caused the anxiety of users of P2Ps and it is strange enough that though the presence in networks of Win32.Polipos is not a secret for anybody for a whole month, Dr.Web Anti-virus has long remained the only anti-virus to detect it.
At the beginning of the epidemics the technical support service of Doctor Web, Ltd. received users’ requests about false alarms to “clean files”. But Dr.Web analysts proved the existence of a new virus. Dr.Web Anti-virus successfully detects different modifications of this complicated polymorphic virus due to the high technological level of the Dr.Web engine.
At present, Virus monitoring service of Doctor Web, Ltd. designed the curing procedure for files infected with Win32.Polipos. It was done for users whose anti-virus programs still do not detect this virus and whose computers, though protected by other anti-virus programs, are infected with the virus and let it infect other computers.
The curing technique is rather difficult, as it requires processing of a complicated crypt algorithm XTEA, and the decoding of the virus code can take much time. You should not download any additional curing utilities to cure the infected files, just use Dr.Web Anti-virus and update the virus bases on time.
Other news
|
 |
My five cents
|
 |
| |
What is the screen size of your monitor?
|
 |
|
 |
|
 |
|
