Virus Profile: W32/Pate.b

Threat Search

Virus Profile information details
Risk Assessment:	Home Low \| Corporate Low
Date Discovered:	10/15/2001
Date Added:	9/13/2002
Origin:	Unknown
Length:	177kb
Type:	Virus
Subtype:	Worm
DAT Required:	4167
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

- Increase in file size by approximately 177Kb
- Presence of aforementioned registry key

Methods of Infection

The virus drops a UPX packed executable in the user temporary directory and executes it.

This file is actually a DLL, 176,128 bytes in length, bearing a random filename with a .TMP extension (eg. SQH9.TMP ). The DLL is injected into the EXPLORER.EXE process, thus keeping the virus memory resident.

The virus enumerates all network shares and infects all PE .EXE and .SCR files that it has write access to.

Aliases

PE_PARITE.A (Trend), W32.Pinfi (Symantec), W32/Parite-B (Sophos), W32/Parite.B (F-Prot), W32/Parite.B (Panda), W32/Pate.a, W32/Pate.b.dll, W32/Pate.b.tmp, Win32.Parite.b (AVP), Win32.Pinfi.A (CA)

View Virus Characteristics

Virus Family Statistics (over the past 30 days)

Family Statistics information
Virus Name	Infected Files	Scanned Files	% Infected Computers
W32/Pate.b	2122	197573	0.00

Virus Characteristics

This is an encrypted parasitic file-infecting virus and network aware worm. It appends PE EXE and SCR files in the Windows directory and subdirectories on the local system, as well as on any accessible network share. The virus creates an additional PE section with a random 3 letter section header followed by the character "•".

The virus creates the following Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\PINF

The virus does not store the original file size, and hence cleaning of this virus will not leave the original executables at their original size. In the majority of cases this will not cause an issue as the growth in file size is non-infectious "garbage" data at the end of the file. Certain applications which undertake a self-check will not run after cleaning and should be deleted and restored from backup.

Additionally the virus may mis-infect files with an incomplete virus body and leave the executable non-functioning. These damaged samples are detected as W32/Pate.b.dam, cannot be repaired, and should be deleted and restored from backup.

Back To Overview View Removal Instructions

Use specified engine and DAT files for detection and removal.

Infected systems should be removed from the network and repaired prior to placing them back on to the network. Failure to do so can results in further infections.

Note: The UPX-packed dropped DLL is injected into the EXPLORER.EXE process for the virus to remain memory resident. Cleaning involves the unloading of this DLL from EXPLORER, which requires the 4.2.60 engine (or greater). A reboot may be required after the .dll is removed from explorer.exe.

As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.

Additional Windows ME/XP removal considerations