Home / malwarePDF  

Virus:Win32/Floxif


First posted on 22 September 2012.
Source: Microsoft

Aliases :

There are no other names known for Virus:Win32/Floxif.

Explanation :



Virus:Win32/Floxif is a family of viruses that infect Windows executable and DLL files to download and install other malware onto your computer.



Installation

When a file that has been infected with Win32/Floxif is opened or run, the virus will launch its payload.

Spreads via...

File infection

Virus:Win32/Floxif uses the following two infection strategies:

  • It infects files that are currently loaded into memory
  • It searches for and infects all executable files on all of your computer's drives, except for CD-ROM drives and folders and files in the %windir% directory


Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, and 7 it is "C:\Windows".



Payload

Downloads and runs malware

When run, variants of Virus:Win32/Floxif drop a malicious DLL as:

%CommonProgramFiles%\System\symsrv.dll

Note: %CommonProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Common Program Files folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Program Files\Common Files".

The dropped DLL may be detected as one of the following:

  • Trojan:Win32/Floxif.A
  • Trojan:Win32/Floxif.B
  • Trojan:Win32/Floxif.C


When the DLL is loaded, it downloads an executable file from a remote server and runs it.

In the wild, we have observed the virus contacting and downloading the file "update.exe" from one of the following servers:

  • www.aieov.com
  • www.zxslb.com


The downloaded file may be detected as Trojan:Win32/Plexardu.A.

Additional information

Virus:Win32/Floxif hooks the following APIs, possibly to interfere with the operation of certain security products:

  • MessageBoxTimeoutW
  • WahReferenceContextByHandle
Related encyclopedia entries

Trojan:Win32/Floxif.A

Trojan:Win32/Floxif.B

Trojan:Win32/Floxif.C

Trojan:Win32/Plexardu.A



Analysis by Chun Feng

Last update 22 September 2012

 

TOP

Malware :