Home / malware Trojan:Win32/Jeefo.A
First posted on 20 February 2019.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Jeefo.A.
Explanation :
The Win32/Jeefo virus checks for the presence of a particular mutex to determine if an instance of the virus is already running on the infected computer. The mutex is named GlobalPowerManagerMutant if the virus is running on Windows 2000, Windows XP, or Windows Server 2003. The mutex is named PowerManagerMutant on other versions of Windows. Win32/Jeefo performs the following actions: If started without command-line arguments: Terminates if the following conditions are satisfied: The mutex was present when the virus started. The infected computer is running Windows 95, Windows 98, Windows ME, or Windows NT 4.0. Infects files and registers itself as a service (if the mutex was not present when the virus started), as follows: Infects Windows portable executable (PE) files that are greater than or equal to 102,400 bytes long. Registers itself as a service: On Windows 95, Windows 98, Windows ME, and Windows NT 4.0 only:
Creates registry value: PowerManager
containing string value:
in registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
This registry modification causes the virus to run automatically as a service each time Windows starts. On Windows 95, Windows 98, and Windows ME, service processes do not appear in Windows Task Manager. On other versions of Windows:
Registers itself as a service named: PowerManager
with display name: Power Manager
with description: Manages the power save features of the computer. If started with one or more command-line arguments, Win32/Jeefo: Interprets the first argument as the name of a PE file. Tries to disinfect that PE file to produce the original PE content, then attempts to overwrite the infected file with its original content. Saves the disinfected file to %temp% if it cannot overwrite the infected file. Tries to run the disinfected PE file. When a PE file infected by Win32/Jeefo runs, the program performs the following actions: Closes the mutex. Creates file svchost.exe in the Windows folder. This svchost.exe file is a copy of the original stand-alone Win32/Jeefo virus. The file is at least 35,328 bytes long. Attempts to run the original content of the PE file by running the dropped svchost.exe with a command-line argument as follows:
%windir%svchost.exeLast update 20 February 2019