McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• PE_PARITE.A (Trend)

• W32.Pinfi (Symantec)

• W32/Parite-B (Sophos)

• W32/Parite.B (F-Prot)

• W32/Parite.B (Panda)

• W32/Pate.a

• W32/Pate.b.dll

• W32/Pate.b.tmp

• Win32.Parite.b (AVP)

• Win32.Pinfi.A (CA)

Characteristics

This is an encrypted parasitic file-infecting virus and network aware worm. It appends PE EXE and SCR files in the Windows directory and subdirectories on the local system, as well as on any accessible network share. The virus creates an additional PE section with a random 3 letter section header followed by the character "•".

The virus creates the following Registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Explorer\PINF

The virus does not store the original file size, and hence cleaning of this virus will not leave the original executables at their original size. In the majority of cases this will not cause an issue as the growth in file size is non-infectious "garbage" data at the end of the file. Certain applications which undertake a self-check will not run after cleaning and should be deleted and restored from backup.

Additionally the virus may mis-infect files with an incomplete virus body and leave the executable non-functioning. These damaged samples are detected as W32/Pate.b.dam, cannot be repaired, and should be deleted and restored from backup.

Symptoms

- Increase in file size by approximately 177Kb
- Presence of aforementioned registry key

Method of Infection

The virus drops a UPX packed executable in the user temporary directory and executes it.

This file is actually a DLL, 176,128 bytes in length, bearing a random filename with a .TMP extension (eg. SQH9.TMP ). The DLL is injected into the EXPLORER.EXE process, thus keeping the virus memory resident.

The virus enumerates all network shares and infects all PE .EXE and .SCR files that it has write access to.

Removal

Use specified engine and DAT files for detection and removal.

Infected systems should be removed from the network and repaired prior to placing them back on to the network. Failure to do so can results in further infections.

Note: The UPX-packed dropped DLL is injected into the EXPLORER.EXE process for the virus to remain memory resident. Cleaning involves the unloading of this DLL from EXPLORER, which requires the 4.2.60 engine (or greater). A reboot may be required after the .dll is removed from explorer.exe.

As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• PE_PARITE.A (Trend)

• W32.Pinfi (Symantec)

• W32/Parite-B (Sophos)

• W32/Parite.B (F-Prot)

• W32/Parite.B (Panda)

• W32/Pate.a

• W32/Pate.b.dll

• W32/Pate.b.tmp

• Win32.Parite.b (AVP)

• Win32.Pinfi.A (CA)

Characteristics

Characteristics -

This is an encrypted parasitic file-infecting virus and network aware worm. It appends PE EXE and SCR files in the Windows directory and subdirectories on the local system, as well as on any accessible network share. The virus creates an additional PE section with a random 3 letter section header followed by the character "•".

The virus creates the following Registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Explorer\PINF

The virus does not store the original file size, and hence cleaning of this virus will not leave the original executables at their original size. In the majority of cases this will not cause an issue as the growth in file size is non-infectious "garbage" data at the end of the file. Certain applications which undertake a self-check will not run after cleaning and should be deleted and restored from backup.

Additionally the virus may mis-infect files with an incomplete virus body and leave the executable non-functioning. These damaged samples are detected as W32/Pate.b.dam, cannot be repaired, and should be deleted and restored from backup.

Symptoms

Symptoms -

- Increase in file size by approximately 177Kb
- Presence of aforementioned registry key

Method of Infection

Method of Infection -

The virus drops a UPX packed executable in the user temporary directory and executes it.

This file is actually a DLL, 176,128 bytes in length, bearing a random filename with a .TMP extension (eg. SQH9.TMP ). The DLL is injected into the EXPLORER.EXE process, thus keeping the virus memory resident.

The virus enumerates all network shares and infects all PE .EXE and .SCR files that it has write access to.

Removal -

Removal -

Use specified engine and DAT files for detection and removal.

Infected systems should be removed from the network and repaired prior to placing them back on to the network. Failure to do so can results in further infections.

Note: The UPX-packed dropped DLL is injected into the EXPLORER.EXE process for the virus to remain memory resident. Cleaning involves the unloading of this DLL from EXPLORER, which requires the 4.2.60 engine (or greater). A reboot may be required after the .dll is removed from explorer.exe.

As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A