Home / malware Win32.Fidcop.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Fidcop.A is also known as n/a.
Explanation :
Win32.Fidcop.A infects executable files larger than 524288 bytes. It does this by scanning random fixed media (hard drives, flash drives etc.) In order not to attract attention it doesn't infect files in folders that have the following string in their paths: "win", "program files", "documents and", "_restore", "music". Another restriction is that infected executables must be for the i386 architecture and have an standard image base (0x400000).
Method of infection: replaces a part of the first section with some of it's code (aprox. 1.5Kbytes). The other code is packed in overlay. This part creates a temporary dll file (ex. 90.tmp) and then runs it using rundll32.exe. This dll is the main virus body and has the role to infect other files and run the original file. The Win32.Fidcop.A hides two cabinet files in it's body.Last update 21 November 2011
