Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/Jeefo.A


PE_JEEFO.A (Trend) W32.Jeefo (Symantec) W32/Hidrag.A (Norman) W32/Jeefo.A (F-Prot) Virus.Win32.Hidrag.a (AVP)

Win32/Jeefo.A is a typical file infector virus, which encrypts the original host-file's chunk data. Affects Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP.

Upon infection the virus imports the host-file's resources and encrypts the host-file's data with the stripped-off resources and appends this encrypted data to the newly created (infected) file.
When an Jeefo-infected file is executed for the first time, the virus creates a copy of the virus-host in the Windows directory as svchost.exe, 36,352 bytes in size.
The virus contains several encrypted strings, all of them are encrypted with a very easy encryption function loop:

After decrypting these encrypted strings with the above decryption function the virus reveals the real strings: “Hidden Dragon virus. Born in a tropical swamp.

This string is encrypted stored in the virus as followed:

The word “Hidden” turned with encryption into “Ijeefo” - that's where the virus got the name “Jeefo” from. Some of the other AV Vendors call this virus “Hidrag”, based on “Hidden Dragon” in the decrypted text form.
This string plays a important role in this virus as an infection marker – the virus checks at a fixed offset for the presence of this string and “repairs” such files before it executes Jeefo-infected files.
Basically it rebuilds the original hostfile by detaching appended data and decoding it, finally it moves the resources back into the file before it executes the rebuilt executable that does not contain any viral code.
That said the virus “disinfects” all infected files before running them and will infect at the same time other files because it runs as svchost.exe in the background.

The virus is able to determine the operating system and behaves in different ways:

In case of it running in a Windows NT, Windows 2000 or Windows XP environment it installs itself as a service named “Power Manager” with an additional description of “Manages the power save features of the computer.” and creates a “PowerManagerMutant” Mutex to avoid multiple running virus instances.

In a Windows 9X environment (Windows 95, Windows 98, Windows ME) the virus adds the following registry key to the registry to make sure that it runs every time windows is started:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
“PowerManager” = “%WINDIR%\svchost.exe”

Note: %WINDIR% is a variable. The virus locates the Windows main installation folder (by default this is C:\Windows or C:\Winnt) and uses it as a destination folder.

Then the virus registers itself via API “RegisterServiceProcess” from the kernel32.dll as Service Process on a Windows 9X machine.

After all this Jeefo starts the infection routine which enumerates and infects Windows PE files.
Because the whole virus host application is appended to every infected file with its resources stripped, the Jeefo infection increases the file size of the host files by 36,352 bytes. (that's the file size of the raw virus data installed as svchost.exe in the windows folder)

Other Details

This Virus was written using MinGW, a cross platform C-Compiler.
A infected file contains first the virus body, then original resources (Graphics etc) and at the end of the file the encrypted original file data.

© 1992-2005 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.