Virus.Win32.RemEx
| Alert Level : | High |
| Discovered: | Mar 07 2000 |
| Tag: | Executable File and Boot Viruses |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
The virus is quite large in size - it is written in Microsoft Visual C and is about 125K. The original virus code occupies about 14K, GZIP routines - 20K, C run-time libraries - 40K. Other data areas are occupied by virus/C data, resources, etc.
The virus has quite an unusual structure: the infected files have code and data segments, as well as three resources that contain compressed executable files. The first resource contains the standard NT4 PSAPI.DLL that is used by the virus to access processes in the system memory.
The second resource is the original virus code itself (including the same compressed PSAPI.DLL in the resource). This copy of virus code is used as the original data to install the virus into the system and to infect EXE files.
The third resource is the host file that is extracted and decompressed, when the virus needs to run the host program.
System Registry: while installing its SYS driver to the system the virus uses the standard NT API calls. This causes the system to register the virus drivers in the system registry - the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Remote Explorer is created.
Temporary files: while compressing/decompressing files the virus needs temporary ones. It creates them in the Windows temporary directory with the random names ~xxxdddd.TMP (where 'x' are letters and 'd' are digits).
Resume
The virus is the first native "memory resident" NT infector, so it might look as some super-virus. Actually the virus was written by some middle-level developer who had access to the NT DeviceDevelopmentKit documentation.
The virus does not hook any NT event, does not use any network protocols, does not try to access the passwords, and does not spread its copy over the global network. Moreover, the ordinary DOS parasitic viruses have the same network spreading abilities like this virus has - they also can infect files on remote shared drives, stay in the system memory, etc.
This is just a standard parasitic virus, but with NT service infection ability. It is not more complex than some other already known Windows viruses, and definitely not more complex than the well-known BO trojan (BackOrifice).
This virus is not a shock at all - it is long awaited WindowsNT-service virus.
0
Removal Virus.Win32.RemEx instructions:
0
Need help? Live computer support via remote at SupportSpace |
