McAfee > Theat Center > Virus Detail Page

Overview

W32/Winemmem is a file infecting virus with backdoor functionality.

Aliases

• W32.Winemmem!Inf (Symantec)

Characteristics

W32/Winemmem infects packages, installers and self-extracting archives (files with extra data, so called "overlay"). It rewrites the code section of the original application and relocates a random size block of code from the beginning of code section and OEP to the end of the file, increasing the size of extra data. This Virus does not create new sections, it does not modify the PE header. In order to gain control when an infected file is run the Virus rewrites the original code located at entry point.

On execution, the virus hooks the following APIs of the current process:

CreateFileA
ExitProcess
ExitWindowsEx

----Update on April 7, 2009---

Once infected, the virus hooks the CreateFileA() API.  W32/Winemmem gains control and searches for Windows PE executables in the Program Files folder.  It then parses the Import Table and searches for system dynamic link libraries (DLL) associated with executables (EXE).  Next, the virus copies the found DLL to the same folder that contains the found EXE file and infects the copied DLL by modifying code at the Entry-Point and appending the virus body to the end of last section, so that malicious code is executed every time any of the infected EXE files are run. 

Upon execution, virus hooks the WS2_32.dll Send() API and performs malicious activity the first time an infected application calls it.  It may infect files on removable drives by searching the entire drive for suitable executables, or download and execute remote files from [REMOVED].c0m.st. 

We also detect the infected versions of modified system libraries as W32/Winemmem.

Symptoms

Modified executable files (increase in the size of exe files).

Method of Infection

W32/Winemmem is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/Winemmem is a file infecting virus with backdoor functionality.

Aliases

• W32.Winemmem!Inf (Symantec)

Characteristics

Characteristics -

W32/Winemmem infects packages, installers and self-extracting archives (files with extra data, so called "overlay"). It rewrites the code section of the original application and relocates a random size block of code from the beginning of code section and OEP to the end of the file, increasing the size of extra data. This Virus does not create new sections, it does not modify the PE header. In order to gain control when an infected file is run the Virus rewrites the original code located at entry point.

On execution, the virus hooks the following APIs of the current process:

CreateFileA
ExitProcess
ExitWindowsEx

----Update on April 7, 2009---

Once infected, the virus hooks the CreateFileA() API.  W32/Winemmem gains control and searches for Windows PE executables in the Program Files folder.  It then parses the Import Table and searches for system dynamic link libraries (DLL) associated with executables (EXE).  Next, the virus copies the found DLL to the same folder that contains the found EXE file and infects the copied DLL by modifying code at the Entry-Point and appending the virus body to the end of last section, so that malicious code is executed every time any of the infected EXE files are run. 

Upon execution, virus hooks the WS2_32.dll Send() API and performs malicious activity the first time an infected application calls it.  It may infect files on removable drives by searching the entire drive for suitable executables, or download and execute remote files from [REMOVED].c0m.st. 

We also detect the infected versions of modified system libraries as W32/Winemmem.

Symptoms

Symptoms -

Modified executable files (increase in the size of exe files).

Method of Infection

Method of Infection -

W32/Winemmem is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A