Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Recently, we discovered a new parasitic infection virus in the wild – Win32/Floxif - which specifically targets DLL files. Most of the attacks of this threat have been observed to come from a specific geographic region.
Win32/Floxif replaces 5 bytes at the entry point of the infected file with a jmp instruction, which jumps directly to the virus body (as shown in Figure 1):
Figure 1: The virus replaces 5 bytes at entry point
The virus body drops a malicious file with a deceptive file name %Program Files%\Common Files\System\symsrv.dll" and then it calls the export function FloodFix of the dropped DLL. The rest of the work is done in this export function, which can be detailed as the following:
Win32/Floxif adopts 2 different infection strategies to choose the DLL to infect:
In both cases, DLL files under %windows% directory are avoided.
Below is a list of the top 10 reported infected DLL files in our telemetry:
Win32/Floxif downloads an encrypted PE file and executes it. The downloaded file is detected as Trojan:Win32/Plexardu.A.
Chun FengMMPC Melbourne