Content

W32/Polip

Type
Virus
SubType
P2P Worm
Discovery Date
04/25/2006
Length
Minimum DAT
4748 (04/25/2006)
Updated DAT
5523 (02/11/2009)
Minimum Engine
N/A
Description Added
04/25/2006
Description Modified
05/04/2006 11:21 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

W32/Polip is a memory-resident virus that uses entry-point obfuscation techniques. When infecting, the virus replaces all calls or jumps to an imported function used by the host file (randomly chosen by the virus) with obfuscated calls to an advanced polymorphic decryptor.

  • It is a polymorphic virus that injects itself into running processes in order to conceal its presence.
  • Uses Gnutella protocol to spread through p2p clients like BearShare that implements this protocol.

Searches the directories that have following strings in their name. Infects .exe and .scr files within these directories.

  • :\program files
  • :\windows
  • :\win98
  • :\win98se
  • :\winxp
  • :\win2000
  • :\winnt
  • :\winme

Whenver it selects a file to infect it searches for following checksum databases in the directory. If present it will delete the checksum database file.

  • drwebase.vdb
  • avg.avi
  • vs.vsn
  • anti-vir.dat
  • avp.crc
  • chklist.ms
  • ivb.ntz
  • ivp.ntz
  • chklist.cps
  • smartchk.ms
  • smartchk.cps
  • aguard.dat
  • avgqt.dat
  • lguard.vps

It also does not infect any file or or files within folders containing following strings in their name:

  • temp
  • norton
  • mcafee
  • anti
  • tmp
  • secure
  • upx
  • forti
  • scan
  • zone labs
  • alarm
  • symantec
  • retina
  • eeye
  • virus
  • firewall
  • spider
  • backdoor
  • drweb
  • viri
  • debug
  • panda
  • shield
  • kaspersky
  • doctor
  • trend micro
  • sonique
  • cillin
  • barracuda
  • sygate
  • rescue
  • pebundle
  • ida
  • spf
  • assemble
  • pklite
  • aspack
  • disasm
  • gladiator
  • ort expl
  • process
  • eliashim
  • tds3
  • starforce
  • safe'n'sec
  • avx
  • root
  • burn
  • aladdin
  • esafe
  • olly
  • grisoft
  • avg
  • armor
  • numega
  • mirc
  • softice
  • norman
  • neolite
  • tiny
  • ositis
  • proxy
  • webroot
  • hack
  • spy
  • iss
  • pkware
  • blackice
  • lavasoft
  • aware
  • pecompact
  • clean
  • hunter
  • common
  • kerio
  • route
  • trojan
  • spyware
  • heal
  • alwil
  • qualys
  • tenable
  • avast
  • a2
  • etrust
  • spy
  • steganos
  • security
  • principal
  • agnitum
  • outpost
  • avp
  • personal
  • softwin
  • defender
  • intermute
  • guard
  • inoculate
  • sophos
  • frisk
  • alwil
  • protect
  • eset
  • nod32
  • f-prot
  • avwin
  • ahead
  • nero
  • blindwrite
  • clonecd
  • elaborate
  • slysoft
  • hijack
  • roxio
  • imapi
  • newtech
  • infosystems
  • adaptec
  • swift sound
  • copystar
  • astonsoft
  • gear software
  • sateira
  • dfrgntfs

Additionally, W32/Polip does not infect files with filenames or directories containing these characters:

  • {
  • }
  • $

And it does not infect files if the path to the files begin with:

  • \\?\
  • \\.\

Symptoms

  • Any file detected as W32/Polip with current DATs.
  • Infected files grow in size by approximately 55kB - 75kB.
  • Unusual processes activity - listing files from the hard disk and modifying them
  • Unusual network activity - connection to Gnutella P2P network

Method of Infection

File Infection

In infecting files W32/Polip creates a new section with an empty section name before the resource section or just after the last data section of the file. This section contains the encrypted and polymorphic body of the virus. It randomly chooses an imported function by the program and patch all the calls or jumps to this function to redirect code execution to this new section. W32/Polip also uses the empty space at the end of the code section to copy some parts of its code, and it uses the data section to manipulate its own variables.

Once the virus code is executed, it repairs the hooked calls and jumps to the imported function, and it redirects the execution to the program code. If the infected file is an installer or a SFX archive, it will create a copy of the file in the temporary folder in order to disinfect it and run it from this new location (otherwise the integrity check would fail and the installer would not run).

P2P Propagation

W32/Polip spreads through p2p clients that use the Gnutella protocol.  Once a machine on a Gnutella protocol based client is infected, the virus becomes available to other machines on the p2p network.  If a user copies an infected file and subsequently runs it, their machine will then become a host for this virus. 

Also, if a user that does not have a Gnutella protocol based client receives this virus outside of the normal propation method (i.e. someone sends it to them in e-mail) and they run the virus, the virus will implement its own p2p Gnutella client on that machine, causing it to become a host for spreading the virus. 

The GWebCaches it uses are listed below:

  • gcache.sexter.com:8080/gwc/
  • abacustechnology.net:8000/
  • gwc2.mine.nu:3333/
  • dhcp-0-c-41-d1-94-ce.cpe.quickclic.net:8088/
  • filecloset.com/gwebcache/gcache.cgi
  • gwc2.908middle.us:3559/gwc2/
  • crab2.dyndns.org:8002/gwc/
  • gwc1c.olden.ch.3557.nyud.net:8090/gwc/
  • ygwc.y-0.net/ygwc.php
  • gwc.mine.nu:3333/
  • bbs.robertwoolley.co.uk/GWebCache/gcache.php
  • cache.kicks-ass.net:8000/
  • node04.hewson.cns.ufl.edu:8080/pwc.cgi
  • gwc.jooz.net:8010/gwc/
  • node02.hewson.cns.ufl.edu:8080/pwc.cgi
  • gcache.cloppy.net/
  • loot.alumnigroup.org/
  • crabcake.dynalias.net:9627/
  • gwc1.nouiz.org/servlet/GWebCache/req
  • pokerface.bishopston.net:3558/
  • crab2.dyndns.org:30002/gwc/
  • kisama.ath.cx:8080/
  • starscream.dynalias.com/
  • toadface.bishopston.net:3558/
  • node00.hewson.cns.ufl.edu:8080/pwc.cgi
  • g2cache.theg2.net/gwcache/lynnx.asp
  • galvatron.dyndns.org:59009/gwcache
  • gwcrab.sarcastro.com:8001/
  • cache.warrink.ath.cx:8000/
  • gwc.nonamer.ath.cx:8080/
  • krill.shacknet.nu:20095/gwc
  • gwebcache.linuxonly.nl/
  • overbeer.ghostwhitecrab.de/
  • hmmm.servebeer.com/gwebcache/gcache.cgi
  • gwebcache.nerdboy.com.au/cgi-bin/perlgcache.cgi
  • gwebcache.bearshare.net/gcache.Php

Removal

At this time, repair of any infected file requires Stinger for W32/Polip standalone remover.

Any files that have been corrupted or deleted by W32/Polip will need to be replaced from backup.

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another

Aliases

  • p2p-worm.win32.polip.a [Kaspersky]
  • w32.polip [Symantec]
  • W32/Polipos-A [Sophos]

Characteristics

Characteristics -

W32/Polip is a memory-resident virus that uses entry-point obfuscation techniques. When infecting, the virus replaces all calls or jumps to an imported function used by the host file (randomly chosen by the virus) with obfuscated calls to an advanced polymorphic decryptor.

  • It is a polymorphic virus that injects itself into running processes in order to conceal its presence.
  • Uses Gnutella protocol to spread through p2p clients like BearShare that implements this protocol.

Searches the directories that have following strings in their name. Infects .exe and .scr files within these directories.

  • :\program files
  • :\windows
  • :\win98
  • :\win98se
  • :\winxp
  • :\win2000
  • :\winnt
  • :\winme

Whenver it selects a file to infect it searches for following checksum databases in the directory. If present it will delete the checksum database file.

  • drwebase.vdb
  • avg.avi
  • vs.vsn
  • anti-vir.dat
  • avp.crc
  • chklist.ms
  • ivb.ntz
  • ivp.ntz
  • chklist.cps
  • smartchk.ms
  • smartchk.cps
  • aguard.dat
  • avgqt.dat
  • lguard.vps

It also does not infect any file or or files within folders containing following strings in their name:

  • temp
  • norton
  • mcafee
  • anti
  • tmp
  • secure
  • upx
  • forti
  • scan
  • zone labs
  • alarm
  • symantec
  • retina
  • eeye
  • virus
  • firewall
  • spider
  • backdoor
  • drweb
  • viri
  • debug
  • panda
  • shield
  • kaspersky
  • doctor
  • trend micro
  • sonique
  • cillin
  • barracuda
  • sygate
  • rescue
  • pebundle
  • ida
  • spf
  • assemble
  • pklite
  • aspack
  • disasm
  • gladiator
  • ort expl
  • process
  • eliashim
  • tds3
  • starforce
  • safe'n'sec
  • avx
  • root
  • burn
  • aladdin
  • esafe
  • olly
  • grisoft
  • avg
  • armor
  • numega
  • mirc
  • softice
  • norman
  • neolite
  • tiny
  • ositis
  • proxy
  • webroot
  • hack
  • spy
  • iss
  • pkware
  • blackice
  • lavasoft
  • aware
  • pecompact
  • clean
  • hunter
  • common
  • kerio
  • route
  • trojan
  • spyware
  • heal
  • alwil
  • qualys
  • tenable
  • avast
  • a2
  • etrust
  • spy
  • steganos
  • security
  • principal
  • agnitum
  • outpost
  • avp
  • personal
  • softwin
  • defender
  • intermute
  • guard
  • inoculate
  • sophos
  • frisk
  • alwil
  • protect
  • eset
  • nod32
  • f-prot
  • avwin
  • ahead
  • nero
  • blindwrite
  • clonecd
  • elaborate
  • slysoft
  • hijack
  • roxio
  • imapi
  • newtech
  • infosystems
  • adaptec
  • swift sound
  • copystar
  • astonsoft
  • gear software
  • sateira
  • dfrgntfs

Additionally, W32/Polip does not infect files with filenames or directories containing these characters:

  • {
  • }
  • $

And it does not infect files if the path to the files begin with:

  • \\?\
  • \\.\

Symptoms

Symptoms -

  • Any file detected as W32/Polip with current DATs.
  • Infected files grow in size by approximately 55kB - 75kB.
  • Unusual processes activity - listing files from the hard disk and modifying them
  • Unusual network activity - connection to Gnutella P2P network

Method of Infection

Method of Infection -

File Infection

In infecting files W32/Polip creates a new section with an empty section name before the resource section or just after the last data section of the file. This section contains the encrypted and polymorphic body of the virus. It randomly chooses an imported function by the program and patch all the calls or jumps to this function to redirect code execution to this new section. W32/Polip also uses the empty space at the end of the code section to copy some parts of its code, and it uses the data section to manipulate its own variables.

Once the virus code is executed, it repairs the hooked calls and jumps to the imported function, and it redirects the execution to the program code. If the infected file is an installer or a SFX archive, it will create a copy of the file in the temporary folder in order to disinfect it and run it from this new location (otherwise the integrity check would fail and the installer would not run).

P2P Propagation

W32/Polip spreads through p2p clients that use the Gnutella protocol.  Once a machine on a Gnutella protocol based client is infected, the virus becomes available to other machines on the p2p network.  If a user copies an infected file and subsequently runs it, their machine will then become a host for this virus. 

Also, if a user that does not have a Gnutella protocol based client receives this virus outside of the normal propation method (i.e. someone sends it to them in e-mail) and they run the virus, the virus will implement its own p2p Gnutella client on that machine, causing it to become a host for spreading the virus. 

The GWebCaches it uses are listed below:

  • gcache.sexter.com:8080/gwc/
  • abacustechnology.net:8000/
  • gwc2.mine.nu:3333/
  • dhcp-0-c-41-d1-94-ce.cpe.quickclic.net:8088/
  • filecloset.com/gwebcache/gcache.cgi
  • gwc2.908middle.us:3559/gwc2/
  • crab2.dyndns.org:8002/gwc/
  • gwc1c.olden.ch.3557.nyud.net:8090/gwc/
  • ygwc.y-0.net/ygwc.php
  • gwc.mine.nu:3333/
  • bbs.robertwoolley.co.uk/GWebCache/gcache.php
  • cache.kicks-ass.net:8000/
  • node04.hewson.cns.ufl.edu:8080/pwc.cgi
  • gwc.jooz.net:8010/gwc/
  • node02.hewson.cns.ufl.edu:8080/pwc.cgi
  • gcache.cloppy.net/
  • loot.alumnigroup.org/
  • crabcake.dynalias.net:9627/
  • gwc1.nouiz.org/servlet/GWebCache/req
  • pokerface.bishopston.net:3558/
  • crab2.dyndns.org:30002/gwc/
  • kisama.ath.cx:8080/
  • starscream.dynalias.com/
  • toadface.bishopston.net:3558/
  • node00.hewson.cns.ufl.edu:8080/pwc.cgi
  • g2cache.theg2.net/gwcache/lynnx.asp
  • galvatron.dyndns.org:59009/gwcache
  • gwcrab.sarcastro.com:8001/
  • cache.warrink.ath.cx:8000/
  • gwc.nonamer.ath.cx:8080/
  • krill.shacknet.nu:20095/gwc
  • gwebcache.linuxonly.nl/
  • overbeer.ghostwhitecrab.de/
  • hmmm.servebeer.com/gwebcache/gcache.cgi
  • gwebcache.nerdboy.com.au/cgi-bin/perlgcache.cgi
  • gwebcache.bearshare.net/gcache.Php

Removal -

Removal -

At this time, repair of any infected file requires Stinger for W32/Polip standalone remover.

Any files that have been corrupted or deleted by W32/Polip will need to be replaced from backup.

Variants

Variants -

    N/A