W32/Parite-B
McAfee的说明:
Virus Family Statistics (over the past 30 days)
Virus Name Infected Files Scanned Files % Infected Computers
Crepate.mp 0 0 0.00
Crepate.mp.1944 0 0 0.00
Crepate.mp.2910 0 0 0.00
W32/Pate 570 82,060 0.00
W32/Pate.a 1,871 1,519,569 0.00
W32/Pate.a.tmp 34 514,763 0.00
W32/Pate.b 2,122 197,573 0.00
W32/Pate.b.tmp 7 134,063 0.00
Virus Characteristics
This is an encrypted parasitic file-infecting virus and network aware worm. It appends PE EXE and SCR files in the Windows directory and subdirectories on the local system, as well as on any accessible network share. The virus creates an additional PE section with a random 3 letter section header followed by the character "•".
The virus creates the following Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\PINF
The virus does not store the original file size, and hence cleaning of this virus will not leave the original executables at their original size. In the majority of cases this will not cause an issue as the growth in file size is non-infectious "garbage" data at the end of the file. Certain applications which undertake a self-check will not run after cleaning and should be deleted and restored from backup.
Additionally the virus may mis-infect files with an incomplete virus body and leave the executable non-functioning. These damaged samples are detected as W32/Pate.b.dam, cannot be repaired, and should be deleted and restored from backup.
Indications of Infection
- Increase in file size by approximately 177Kb
- Presence of aforementioned registry key
Method of Infection
The virus drops a UPX packed executable in the user temporary directory and executes it.
This file is actually a DLL, 176,128 bytes in length, bearing a random filename with a .TMP extension (eg. SQH9.TMP ). The DLL is injected into the EXPLORER.EXE process, thus keeping the virus memory resident.
The virus enumerates all network shares and infects all PE .EXE and .SCR files that it has write access to.
Removal Instructions
Use specified engine and DAT files for detection and removal.
Infected systems should be removed from the network and repaired prior to placing them back on to the network. Failure to do so can results in further infections.
Note: The UPX-packed dropped DLL is injected into the EXPLORER.EXE process for the virus to remain memory resident. Cleaning involves the unloading of this DLL from EXPLORER, which requires the 4.2.60 engine (or greater). A reboot may be required after the .dll is removed from explorer.exe.
As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.
Additional Windows ME/XP removal considerations
Aliases
PE_PARITE.A (Trend), W32.Pinfi (Symantec), W32/Parite-B (Sophos), W32/Parite.B (F-Prot), W32/Parite.B (Panda), W32/Pate.a, W32/Pate.b.dll, W32/Pate.b.tmp, Win32.Parite.b (AVP), Win32.Pinfi.A (CA)Current Threats Add to Your Site
Virus Advisory
W32/Bagle.az@mm is a Medium Risk worm.
Virus Advisory
W32/Mydoom.s@MM is a Medium Risk worm.
Virus Advisory
W32/Mydoom.o@MM is a Medium Risk worm.
Virus Search
Free Virus News More
Related Links
Security News Network Online Guide for Parents Help with Removing a Virus Report a Virus Anti-Virus Tips Report Suspicious Activity eSecurity News Archives We also recommend...
Keep your PC safe. Automatically checks for virus updates, so your protection stays up-to-date.
Virus Family Statistics (over the past 30 days)
Virus Name Infected Files Scanned Files % Infected Computers
Crepate.mp 0 0 0.00
Crepate.mp.1944 0 0 0.00
Crepate.mp.2910 0 0 0.00
W32/Pate 570 82,060 0.00
W32/Pate.a 1,871 1,519,569 0.00
W32/Pate.a.tmp 34 514,763 0.00
W32/Pate.b 2,122 197,573 0.00
W32/Pate.b.tmp 7 134,063 0.00
Virus Characteristics
This is an encrypted parasitic file-infecting virus and network aware worm. It appends PE EXE and SCR files in the Windows directory and subdirectories on the local system, as well as on any accessible network share. The virus creates an additional PE section with a random 3 letter section header followed by the character "•".
The virus creates the following Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\PINF
The virus does not store the original file size, and hence cleaning of this virus will not leave the original executables at their original size. In the majority of cases this will not cause an issue as the growth in file size is non-infectious "garbage" data at the end of the file. Certain applications which undertake a self-check will not run after cleaning and should be deleted and restored from backup.
Additionally the virus may mis-infect files with an incomplete virus body and leave the executable non-functioning. These damaged samples are detected as W32/Pate.b.dam, cannot be repaired, and should be deleted and restored from backup.
Indications of Infection
- Increase in file size by approximately 177Kb
- Presence of aforementioned registry key
Method of Infection
The virus drops a UPX packed executable in the user temporary directory and executes it.
This file is actually a DLL, 176,128 bytes in length, bearing a random filename with a .TMP extension (eg. SQH9.TMP ). The DLL is injected into the EXPLORER.EXE process, thus keeping the virus memory resident.
The virus enumerates all network shares and infects all PE .EXE and .SCR files that it has write access to.
Removal Instructions
Use specified engine and DAT files for detection and removal.
Infected systems should be removed from the network and repaired prior to placing them back on to the network. Failure to do so can results in further infections.
Note: The UPX-packed dropped DLL is injected into the EXPLORER.EXE process for the virus to remain memory resident. Cleaning involves the unloading of this DLL from EXPLORER, which requires the 4.2.60 engine (or greater). A reboot may be required after the .dll is removed from explorer.exe.
As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.
Additional Windows ME/XP removal considerations
Aliases
PE_PARITE.A (Trend), W32.Pinfi (Symantec), W32/Parite-B (Sophos), W32/Parite.B (F-Prot), W32/Parite.B (Panda), W32/Pate.a, W32/Pate.b.dll, W32/Pate.b.tmp, Win32.Parite.b (AVP), Win32.Pinfi.A (CA)Current Threats Add to Your Site
Virus Advisory
W32/Bagle.az@mm is a Medium Risk worm.
Virus Advisory
W32/Mydoom.s@MM is a Medium Risk worm.
Virus Advisory
W32/Mydoom.o@MM is a Medium Risk worm.
Virus Search
Free Virus News More
Related Links
Security News Network Online Guide for Parents Help with Removing a Virus Report a Virus Anti-Virus Tips Report Suspicious Activity eSecurity News Archives We also recommend...
Keep your PC safe. Automatically checks for virus updates, so your protection stays up-to-date.
hofman
2004-10-09 10:40:15
评论:0
阅读:3478
引用:0
很老的病毒,却阴魂不散
@2004-10-09 10:43:13 hofman
今天将所有的机器都杀了一遍。
不知道怎么才能赶尽杀绝?
不知道怎么才能赶尽杀绝?