Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Parite.B

PE_PARITE.A (Trend) W32.Pinfi (Symantec) W32/Parite-B (Sophos) Win32.Pinfi.A (CA) W32/Parite.B (F-Prot) W32/Parite.B (Panda) Win32.Parite.b (AVP)

Type: Win32 polymorphic fileinfector virus
Affects: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP

Upon infection the virus adds a new section (this section is randomly named with 3 letters followed by the ASC-II character 07) to the host file, which contains the main viral code in encrypted form. This file is later dropped as a randomly named temp-file into the TEMP folder using windows API function to retrieve this path.

The temp-file (around 172Kb in size) is injected into Windows Explorer. This means that if Explorer runs, the virus stays active in memory.

The virus takes the Original Entry Point (OEP) from the infected file out of the Fileheader, encrypts the old Entry Point with a randomly generated 32bit value, and stores this calculated entrypoint value in the encrypted last section of the file, where the virus writes itself.

It needs the original entry point to execute an infected file after the viral code has been executed - otherwise infected programs would not be able to run after the virus runs.

Note: In the following text, %windir% denotes Windows directory (e.g. C:\WINDOWS) and %system% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

The virus creates the following Registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF

Parite uses 2 different, randomly generated, 32bit values, at 2 random addresses in the original host file, and it overwrites these addresses if the file does not run.
If the infected file is active, the virus restores this data out of the encrypted section into the program code. This is a special mechanism to make the cleaning of infected files more difficult.
The virus enumerates and scans all network shares and tries to infect all Windows32 executables and screensaver files.

Other Details

The polymorphic Dropper is written using TASM, and the virus part itself is written with Borland C++ and packed with UPX, a executable file compressor.