Home / malwarePDF  

Virus:Win32/Jeefo.A


First posted on 15 February 2019.
Source: Microsoft

Aliases :

Virus:Win32/Jeefo.A is also known as Virus.Win32.Hidrag.a, W32/Jeefo, PE_JEEFO.A.

Explanation :

The Win32/Jeefo virus checks for the presence of a particular mutex to determine if an instance of the virus is already running on the infected computer. The mutex is named GlobalPowerManagerMutant if the virus is running on Windows 2000, Windows XP, or Windows Server 2003. The mutex is named PowerManagerMutant on other versions of Windows.   If started without command-line arguments, Win32/Jeefo performs the following actions: Terminates if the  mutex was present when the virus started, or t he infected computer is running Windows 95, Windows 98, Windows ME, or Windows NT 4.0. Infects Windows portable executable (PE) files that are greater than or equal to 102,400 bytes long. On Windows 95, Windows 98, Windows ME, and Windows NT 4.0, Win32/Jeefo registers itself as a service: 
Adds value: PowerManager
With data:
in registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
This registry modification causes the virus to run automatically as a service each time Windows starts. On Windows 95, Windows 98, and Windows ME, service processes do not appear in Windows Task Manager. On other versions of Windows, Win32/Jeefo:
Registers itself as a service named: PowerManager
with display name: Power Manager 
with description: Manages the power save features of the computer.   If started with one or more command-line arguments, Win32/Jeefo: Interprets the first argument as the name of a PE file. Tries to disinfect that PE file to produce the original PE content, then attempts to overwrite the infected file with its original content. Saves the disinfected file to %temp% if it cannot overwrite the infected file. Tries to run the disinfected PE file.   When a PE file infected by Win32/Jeefo runs, the program performs the following actions: Closes the mutex. Creates file svchost.exe in the Windows folder. This svchost.exe file is a copy of the original stand-alone Win32/Jeefo virus. The file is at least 35,328 bytes long. Attempts to run the original content of the PE file by running the dropped svchost.exe with a command-line argument as follows:
%windir%svchost.exe

Last update 15 February 2019

 

TOP