Jeefo Virus

Original issue date: November 20, 2007

It has been observed that a parasitic file infector virus named Jeefo is circulating in the wild. It infects Portable Executable files with size equal to or greater than 102,400 Bytes using the technique of first encrypting its target host file and then appending the encrypted host code to its viral code. After successful infection the size of the infected file gets increased by 36,352 bytes.

Once the infected file gets executed it drops a copy of itself in the Windows folder as svchost.exe by registering itself as “Power Manager” service on Windows Operating Systems.
Further the virus looks for the presence of a particular mutex so that only one instance of the Virus runs at a time on the infected system .

Aliases : Virus.Win32.Hidrag.a [Kaspersky]

Upon execution , the Virus :

• Drops a copy of itself in the Windows directory
  as SVCHOST.EXE.
• Creates the following registry entry to automatically
  run at startup:
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\RunServices
  PowerManager = “%Windows%\SVCHOST.EXE”
  (Note: %Windows% refers to the default Windows directory,
  which is usually C:\Windows or C:\WINNT.
• Creates a service for itself and adds the following registry key, which contains its service settings on Windows NT, 2000, and XP:
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\
  Services\PowerManager
• If started with one or more command-line arguments
  

  •  Interprets the first argument as the name of a PE file.
  •  Tries to disinfect that PE file to produce the original PE content, then attempts to overwrite the infected file with its original content.
  •  Saves the disinfected file to %temp% if it cannot overwrite the infected file.
  •  Tries to run the disinfected PE file.

• If started without command-line arguments

  •  Terminates if the mutex was present when the virus started, or the infected computer is running Windows 95, Windows 98, Windows ME, or Windows NT 4.0.
  •  Infects Windows portable executable (PE) files that are greater than or equal to 102,400 bytes long.
  •  On Windows 95, Windows 98, Windows ME, and Windows NT 4.0, Win32/Jeefo registers itself as a service: Adds value: PowerManager
  With data: <name of virus file that is running
  >in registry key:
  HKEY_LOCAL_MACHINE\Software\Microsoft\
  Windows\CurrentVersion\RunServices
  This registry modification causes the virus to run automatically as a service each time Windows starts. On Windows 95, Windows 98 , and Windows ME, service processes do not appear in Windows Task Manager.
  •  On other versions of Windows, Win32/Jeefo:
  Registers itself as a service named: PowerManager with display name: Power Manager with description: Manages the power save features of the computer.
  

In view of rapid propagation of the Jeefo Virus , users are advised to implement the following countermeasures:

• Search for the malicious files and processes created/initiated by Jeefo Virus and delete the same
• Search for the registry entries mentioned above made by the Jeefo Virus and delete the same
• Install and maintain an updated anti-virus software at gateway and desktop level.
• Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities.
• Installs a personel firewall at Desktop level

References

Microsoft
http://www.microsoft.com/security/portal/Entry.aspx?name=Virus
:Win32/Jeefo.A

Trend Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=PE%5FJEEFO%2EA&VSect=P

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003