McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• PE_SNOW.A (TrendMicro)

Characteristics

This detection is for a Win32 parasitic virus variant that infects Windows portable executable (PE) files.

W32/Snow.a bears the following characteristics:

• infects PE executable files
• infected files grow in length by about 243 kilobytes
• drops and install WinPcap network drivers
• drops and auto-starts a copy of itself
• when an infected file is run, the virus searches for other files to infect on both local and network drives
• flood network with spoofed arp packets (arp poisoning)

Symptoms

Presence of the following Windows Registry keys:

• HKEY_USER\CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run\CTFMON.EXE = %Windir%\ctfmon.exe

(Where %Windir% is the Windows directory, for example C:\Windows. The legitimate Microsoft version of ctfmon.exe is typically located in %Windir%\System32 instead.)

• HKEY_LOCAL_MACHINE\SOFTWARE\SNOW

The virus first attempts to infect files which are running processes, then locate other executable files on the hard drives. When it fails to infect any file (usually due to denied permissions or file sharing violation), it adds an entry in the above Windows Registy key as:

• HKEY_LOCAL_MACHINE\SOFTWARE\SNOW\[Alphabet in incremental order ] = "%Path_to_file%"

Presence of one or more of the following files:

• %Windir%\ctfmon.exe
• %Windir%\packet.dll (WinPcap )
• %Windir%\pthreadvc.dll (WinPcap )
• %Windir%\wpcap.dll (WinPcap )
• %Windir%\system32\drivers\npf.sys (WinPcap )

(WinPcap is a popular network monitoring application that has legitimate uses.)

Method of Infection

This is a parasitic virus that searches and infects Windows Portable Executable (PE) files that typically has the .EXE file extension.

It appends a new section of viral code to the end of an infected file.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• PE_SNOW.A (TrendMicro)

Characteristics

Characteristics -

This detection is for a Win32 parasitic virus variant that infects Windows portable executable (PE) files.

W32/Snow.a bears the following characteristics:

• infects PE executable files
• infected files grow in length by about 243 kilobytes
• drops and install WinPcap network drivers
• drops and auto-starts a copy of itself
• when an infected file is run, the virus searches for other files to infect on both local and network drives
• flood network with spoofed arp packets (arp poisoning)

Symptoms

Symptoms -

Presence of the following Windows Registry keys:

• HKEY_USER\CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run\CTFMON.EXE = %Windir%\ctfmon.exe

(Where %Windir% is the Windows directory, for example C:\Windows. The legitimate Microsoft version of ctfmon.exe is typically located in %Windir%\System32 instead.)

• HKEY_LOCAL_MACHINE\SOFTWARE\SNOW

The virus first attempts to infect files which are running processes, then locate other executable files on the hard drives. When it fails to infect any file (usually due to denied permissions or file sharing violation), it adds an entry in the above Windows Registy key as:

• HKEY_LOCAL_MACHINE\SOFTWARE\SNOW\[Alphabet in incremental order ] = "%Path_to_file%"

Presence of one or more of the following files:

• %Windir%\ctfmon.exe
• %Windir%\packet.dll (WinPcap )
• %Windir%\pthreadvc.dll (WinPcap )
• %Windir%\wpcap.dll (WinPcap )
• %Windir%\system32\drivers\npf.sys (WinPcap )

(WinPcap is a popular network monitoring application that has legitimate uses.)

Method of Infection

Method of Infection -

This is a parasitic virus that searches and infects Windows Portable Executable (PE) files that typically has the .EXE file extension.

It appends a new section of viral code to the end of an infected file.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A