Recently, we discovered a new parasitic infection virus in the wild – Win32/Floxif - which specifically targets DLL files. Most of the attacks of this threat have been observed to come from a specific geographic region.

Win32/Floxif replaces 5 bytes at the entry point of the infected file with a jmp instruction, which jumps directly to the virus body (as shown in Figure 1):

floxif1.jpg
floxif2.jpg

Figure 1: The virus replaces 5 bytes at entry point

The virus body drops a malicious file with a deceptive file name %Program Files%\Common Files\System\symsrv.dll" and then it calls the export function FloodFix of the dropped DLL. The rest of the work is done in this export function, which can be detailed as the following:

  1. Restore the stolen code(including the 5 bytes at the entry point and another code chunk overwritten by the virus) for the host file
  2. Process the relocation table for the host file (the relocation table entry has been removed from the PE file after infection)
  3. Pass control back to the host file

Win32/Floxif adopts 2 different infection strategies to choose the DLL to infect:

  1. Enumerate the loaded DLL files in the running processes
  2. Blanket search for all the DLL files on all drives

In both cases, DLL files under %windows% directory are avoided.

Below is a list of the top 10 reported infected DLL files in our telemetry:

  1. jvm.dll
  2. MSVCR71.DLL
  3. awt.dll
  4. jqs_plugin.dll
  5. ZipLib.dll
  6. WSignature.dll
  7. xappex.1.1.1.38.(919).dll
  8. MSVCR100.dll
  9. msoxmlmf.dll
  10. XLUE.dll

Win32/Floxif downloads an encrypted PE file and executes it. The downloaded file is detected as Trojan:Win32/Plexardu.A.

Chun Feng
MMPC Melbourne