Content
W32/Jeefo
- Type
- Virus
- SubType
- Win32
- Discovery Date
- 04/30/2003
- Length
- Infected files increase in size by 36,352 bytes.
- Minimum DAT
- 4262 (05/07/2003)
- Updated DAT
- 5238 (02/26/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 05/01/2003
- Description Modified
- 11/13/2003 1:45 PM (PT)
Tab Navigation
Characteristics
This is a parasitic 32-bit file infecting virus that infects Windows PE files on the victim machine.
When an infected file is run on the victim machine, the file SVCHOST.EXE (36,352 bytes) is dropped in %WinDir%. The file is set with the system attribute set. On Windows 9x machines, the following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\RunServices
"PowerManager" = %WinDir%\SVCHOST.EXE
On Windows NT/2000/XP machines, the dropped file is installed as a service, with the following characteristics:
| Description: | Manages the power save features of the computer |
| Display Name: | Power Manager |
| Start Type: | Automatic |
| Account: | Local system |
Once running in memory, the virus periodically attempts to infect PE files on the victim machine.
Symptoms
- Existence of SVCHOST.EXE (36,362 bytes) in %WinDir%. The file has the system attribute set. NB: a legitimate system file of the same name is typically within %SysDir%, eg. C:\WINDOWS\SYSTEM\SVCHOST.EXE.
- Infected files increase in size by +36,352 bytes
Method of Infection
This parasitic infector encrpyts the host file, appending the encrpyted data to the infected file.
Once a machine is infected, the dropped SVCHOST.EXE (running as a service on NT/2k) periodically infects executables on the machine.
Removal
All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
This is a parasitic 32-bit file infecting virus that infects Windows PE files on the victim machine.
When an infected file is run on the victim machine, the file SVCHOST.EXE (36,352 bytes) is dropped in %WinDir%. The file is set with the system attribute set. On Windows 9x machines, the following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\RunServices
"PowerManager" = %WinDir%\SVCHOST.EXE
On Windows NT/2000/XP machines, the dropped file is installed as a service, with the following characteristics:
| Description: | Manages the power save features of the computer |
| Display Name: | Power Manager |
| Start Type: | Automatic |
| Account: | Local system |
Once running in memory, the virus periodically attempts to infect PE files on the victim machine.
Symptoms
Symptoms -
- Existence of SVCHOST.EXE (36,362 bytes) in %WinDir%. The file has the system attribute set. NB: a legitimate system file of the same name is typically within %SysDir%, eg. C:\WINDOWS\SYSTEM\SVCHOST.EXE.
- Infected files increase in size by +36,352 bytes
Method of Infection
Method of Infection -
This parasitic infector encrpyts the host file, appending the encrpyted data to the infected file.
Once a machine is infected, the dropped SVCHOST.EXE (running as a service on NT/2k) periodically infects executables on the machine.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
