Virus Profile: W32/Jeefo

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/30/2003
Date Added: 5/1/2003
Origin: Unknown
Length: Infected files increase in size by 36,352 bytes.
Type: Virus
Subtype: Win32
DAT Required: 4262
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existence of SVCHOST.EXE (36,362 bytes) in %WinDir%. The file has the system attribute set. NB: a legitimate system file of the same name is typically within %SysDir%, eg. C:\WINDOWS\SYSTEM\SVCHOST.EXE.
  • Infected files increase in size by +36,352 bytes

Methods of Infection

This parasitic infector encrpyts the host file, appending the encrpyted data to the infected file.

Once a machine is infected, the dropped SVCHOST.EXE (running as a service on NT/2k) periodically infects executables on the machine.

   

Virus Characteristics

This is a parasitic 32-bit file infecting virus that infects Windows PE files on the victim machine.

When an infected file is run on the victim machine, the file SVCHOST.EXE (36,352 bytes) is dropped in %WinDir%. The file is set with the system attribute set. On Windows 9x machines, the following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
 CurrentVersion\RunServices
"PowerManager" = %WinDir%\SVCHOST.EXE

On Windows NT/2000/XP machines, the dropped file is installed as a service, with the following characteristics:

Description: Manages the power save features of the computer
Display Name: Power Manager
Start Type: Automatic
Account: Local system

Once running in memory, the virus periodically attempts to infect PE files on the victim machine.

   
All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.

Additional Windows ME/XP removal considerations