Home / malware Virus:Win32/Winemm.A
First posted on 16 April 2009.
Source: SecurityHomeAliases :
Virus:Win32/Winemm.A is also known as Also Known As:Virus:Win32/Winememm.A (other).
Explanation :
Virus:Win32/Winemm.A is a file infecting virus that targets .EXE and .DLL files. Infected files grow in size by 58 kilobytes.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:Files infected by Virus:Win32/Winemm.A grow in size by 58 kilobytes Alert notifications from installed antivirus software may be the only symptom(s).
Virus:Win32/Winemm.A is a file infecting virus that targets .EXE and .DLL files. Infected files grow in size by 58 kilobytes.
Installation
Opening and executing an infected file can activate the virus and infect the local computer.
Spreads Via…Executable File InfectionWin32/Winemmem.A searches for files to infect using these methods:follow shortcuts (.LNK files) from the user’s Desktop enumerate registry values under the Run subkey, in both HKCU and HKLM registry hives follow shortcuts (.LNK files) from the Quick Launch menu intermittently search C: drive for target files to infect The virus follows the path specified in .LNK files found in the user’s Desktop to open the target EXE files. If the target files loads a selected system DLL, the virus copies the system DLL to the same folder as the target executable then infects the DLL with virus code. Although the EXE remains clean, when executed, it loads the infected DLL which activates the virus code. The infected DLL is detected as Trojan:Win32/Winemm.A. If the target executable doesn’t load a selected system DLL file, the virus infects the .EXE file by replacing existing code, and moving the original code into segments elsewhere within the .EXE file. The infected file grows in size by 58 kilobytes. If activated from the infected file, the virus runs its infection routine first, writes the restored host file back to the disk, executes the host file, and re-infects it once the host program terminates. If activated from the infected EXE file, the virus decodes itself into the process in memory and restores the host program to disk, hooks the following APIs to call the virus code and executes the host program: ExitProcess
ExitWindowsEx
CreateFileW The virus resumes control once the host program calls one of the hooked APIs.If ExitProcess or ExitWindowsEx is called, the virus re-infects the host program and terminates. If CreateFileW is called, the virus creates a new thread to run its infection routine. Additional InformationThe virus carries a kernel driver to aid its replication. The kernel driver is written to the temporary directory and activated for a short period of time to allow the virus to modify its host program on disk. Once the host program is restored, the virus removes the kernel driver and continues its replication routine. The kernel driver is detected as VirTool:WinNT/Rootkitdrv.GR.
Analysis by Shali HsiehLast update 16 April 2009