Home / malware Win32.Jeefo.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Jeefo.A is also known as Win32.Jeffo.A.
Explanation :
This executable file infector is written in MinGW and presents a very interesting (and difficult to disinfect) infection technique. It contains various strings, encrypted with a trivial algorithm:
.text:004012B0 decryption_loop:
.text:004012B0 mov cl, [edx+ebx]
.text:004012B3 dec cl
.text:004012B5 mov [edx+eax], cl
.text:004012B8 inc edx
.text:004012B9 cmp edx, edi
.text:004012BB jl short decryption_loop
When an infected file is executed for the first time, the virus receives control and dumps a copy of itself in the Windows directory as svchost.exe and registeres itself to be executed at every system startup: under Windows 9x/Me it adds a key to HKEY_LOCAL_MACHINE SoftwareMicrosoftWindowsCurrentVersionRunServices; under NT/2000/XP, it creates a service called "Power Manager".
The file infection algorithm is complex; in some cases, infected files get corrupted (the virus is not capable of handling certain resource types).
The infected file has the following layout:
1) Virus
2) Original file's resources (bitmaps, icons, etc) -> thus the infected file has the same main icon as the original file
3) Original file chunks - encrypted
The disinfection routine decrypts the file chunks, re-links the file, adds the resources and re-locates them to the new relative virtual address. Resource relocation is tricky and in some cases may cause the virus to fail (crash); however, these files are correctly disinfected by BitDefender.
The virus contains the following text string: "Hidden Dragon virus. Born in a tropical swamp." encrypted with the same trivial encryption algorithm as above. When encrypted, the word "hidden" is transformed to "iJeefo" (this is where this virus got his name from).Last update 21 November 2011
