Virus:W32/Hidrag.a
Date discovered:13/04/2005
Type:File infector
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:No
File size:~ 36.352 Bytes
VDF version:6.30.00.93

 General Method of propagation:
   • Mapped network drives


Aliases:
   •  Symantec: W32.Jeefo
   •  Mcafee: W32/Jeefo
   •  Kaspersky: Virus.Win32.Hidrag.a
   •  TrendMicro: PE_JEEFO.A
   •  F-Secure: Virus.Win32.Hidrag.a
   •  Sophos: W32/Jeefo-A
   •  Grisoft: Win32/Hidrag.A
   •  Eset: Win32/Jeefo.A
   •  Bitdefender: Win32.Jeefo.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Registry modification




   

   Description

   W32/Hidrag.a is a non-dangerous memory resident virus that infects Win32 PE EXE files.

   The virus searches for files to infect and upon infection it encrypts part of the file.

   When an infected file is executed, it drops the first-generation infector in the Windows directory as svchost.exe, which is registered as "Power Manager" service (on Windows NT/2000/XP). The virus then executes the original file without manifesting itself in any way.

 Files The following file is created:

%WINDIR%\svchost.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: W32/Hidrag.a

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\PowerManager]
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"="%WINDIR%\svchost.exe"
   • "DisplayName"="Power Manager"
   • "ObjectName"="LocalSystem"
   • "Description"="Manages the power save features of the computer."

– [HKLM\SYSTEM\CurrentControlSet\Services\PowerManager]
   • "Security"=%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\PowerManager\Enum]
   • "0"="Root\\LEGACY_POWERMANAGER\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

 Miscellaneous Mutex:
It creates the following Mutex:
   • PowerManagerMutant


String:
Furthermore it contains the following string:
   • Hidden Dragon virus. Born in a tropical swamp.

Description inserted by Daniel Constantin on Tuesday, April 3, 2007
Description updated by Daniel Constantin on Tuesday, April 3, 2007

Back . . . .