W32/Jeefo.A
Analysis
- This is a 32-bit virus with an infection size of 36,352 bytes.
- When executed, it drops an infectious binary into the Windows folder as svchost.exe. On Windows NT/2000/XP systems, it registers this file to run as a service at startup.
- Under Windows NT/2000/XP, the virus uses imports
from ADVAPI32.DLL in order to create and initiate
itself to run as a service. The service listed as Power Manager will be visible via the Administrator Tools / Services applet. Below are properties of the service created by this virus:
- Display Name: Power Manager
- Description: Manages the power save features of the computer
- Path to executable: undefinedWindowsundefined\svchost.exe
- Startup type: Automatic
- Log on as: Local System account
- Dependencies: <No Dependencies>
- While the virus runs as a service, it slowly infects other 32-bit PE files on the system by prepending its code to the target files.
- When the virus creates a service, the following
keys are created in the system registry:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POWERMANAGER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POWERMANAGER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POWERMANAGER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerManager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerManager\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerManager\Security
- The above listed keys are populated with data
referencing how the virus will load and the location
of the file as in the following example:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager\
"Description" = Manages the power save features of the computer.
"DisplayName" = Power Manager
"ErrorControl" = 00, 00, 00, 00
"ImagePath" = C:\WINNT\svchost.exe
"ObjectName" = LocalSystem
"Start" = 02, 00, 00, 00
"Type" = 10, 00, 00, 00HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager\Enum\
"0" = Root\LEGACY_POWERMANAGER\0000
"Count" = 01, 00, 00, 00
"NextInstance" = 01, 00, 00, 00
- The virus contains the string Ijeefo!Esbhpo! in its code.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |