FÜR NUTZER

Schließen

Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Suche
Suche

Support
Support 24/7 | Regeln zur Anfragenübermittlung

Schreiben Sie uns

Online-Formular

Telefon

+49 (0) 170 488 40 28

Forum

Ihre Anfragen

Neue Anfrage

Rufen Sie uns an

+7 (495) 789-45-86

Profil

DE

RU CN DE EN ES FR IT JP KZ UZ PL BY
Schließen
Services
Scanner
Dr.Web vxCube
Testversion
Analyse von virenabhängigen Vorfällen
Virenbibliothek
Wissensdatenbank

Technologies

Begriffe

Schulung und Training

Mythen

News

Win32.Polipos

(PE_POLIP.A, W32/Polip.A, W32/Polip, System error, Parser error, Generic.dx, Win32.Polip.Gen, W32/Autorun.worm.gen, Virus:Win32/Cekar.B, Win32.Polip.A, Malware-Cryptor.Win32.Palka, Virus:Win32/Polip.A , Win32/Bacalid, Virus:Win32/Polip.A, Worm/Delf.FOG, TR/VB.Downloader.Gen, P2P-Worm.Win32.Polip.a, WORM_PERLOVGA.F, Win32/Polipos, Win32.Bacalid.A, Worm.Win32.AutoRun.aaq, W32/Polip.A - Packed, Virus.Win32.Polip.A)

Virus description added:

Win32.Polipos is a complicated polymorphic virus.

The virus affects the Windows executable files putting the polymorphic decryptor code into vacant areas of the code sections. The main code-protected body of the virus goes into a new section of the infected executable file.

When launched, the virus injects its code into all active processes. The exceptions are the processes, which have the following names:

savedump, dumprep, dwwin, drwtsn32, drwatson, kernel32.dll, smss, csrss, spoolsv, ctfmon, temp.

Self-decoded and extracted copies of the virus become resident in the memory of each active application. Each copy is responsible for a certain type of action: searching for files which are appropriate for infection, the process of infection itself, P2P network (based on Gnutella networks) function control and so on. Infected files become available for all the users of the network.

Win32.Polipos intercepts the following API functions:

ExitProcess, CreateProcess, CreateFileA, LoadLibraryExA, SearchPathA, CreateProcessW, CreateFileW, LoadLibraryExW, SearchPathW.

When the abovementioned functions are executed, the infection of new files takes place. The virus puts the infected file with overlays (sfx-archives, installation programs and so on) in control and creates a clean ptf*.tmp copy of the file in the temporary directory. Then it launches this file.

The virus removes the following antivirus program files:

drwebase.vdb, avg.avi, vs.vsn, antivir.dat, avp.crc, chklist.ms,ivb.ntz, ivp.ntz, chklist.cps, smartchk.ms, smartchk.cps, aguard.dat, avgqt.dat, lguard.vps.

Win32.Polipos does not infect files, whose names have the following combinations:

tb dbg f- nav pav mon rav nvc fpr dss ibm inoc scn pack vsaf vswp fsav adinf sqstart mc watch kasp nod setup temp norton mcafee anti tmp secure upx forti scan zone labs alarm symantec retina eeye virus firewall spider backdoor drweb viri debug panda shield kaspersky doctor trend micro sonique cillin barracuda sygate rescue pebundle ida spf assemble pklite aspack disasm gladiator ort expl process eliashim tds3 starforce safe'n'sec avx root burn aladdin esafe olly grisoft avg armor numega mirc softice norman neolite tiny ositis proxy webroot hack spy iss pkware blackice lavasoft aware pecompact clean hunter common kerio route trojan spyware heal alwil qualys tenable avast a2 etrust spy steganos security principal agnitum outpost avp personal softwin defender intermute guard inoculate sophos frisk alwil protect eset nod32 f-prot avwin ahead nero blindwrite clonecd elaborate slysoft hijack roxio imapi newtech infosystems adaptec swift sound copystar astonsoft gear software sateira dfrgntfs

The virus contains the line “Win32.Polipos v1.2 by Joseph”.