ウイルスW32/Polipos
タイプファイル感染型
感染報告有りはい
感染報告
感染の可能性
ダメージ・ポテンシャル
スタティック・ファイルいいえ
エンジンのバージョンAV7 7.00.00.08, AV6 6.33.01.58

 一般情報 感染方法
   • P2P(ピアツーピア)


別名
   •  Symantec: W32.Polip
   •  McAfee: W32/Polip
   •  Kaspersky: P2P-Worm.Win32.Polip.a
   •  TrendMicro: PE_POLIP.A
   •  Sophos: W32/Polipos-A
   •  Bitdefender: Win32.Polip.A


プラットフォーム/OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003




   Virus Body
   
   The virus body contains an encrypted part (approximately 50%) and the
   decryptor (the remaining 50%). The encrypted part contains the virus
   body and parts of additional decryptor layers. The virus is able to use
   previously present gaps in the host code and
    inserts itself into these spaces without changing the host
   section size or attributes. Additionally it increases the virtual size
   of the data section and uses this additional space during runtime.
   In addition to the gap infection it inserts a new section without a
   section name either as the last section, or in case there was a resource
   section it is also possible that the new section is inserted as second
   last section in front of the resource section.
   
   Entry Point Obscuring
   
   - replacing calls/jumps to original imports with replacement calls to the
   virus entry point
   - replacing end-of-function stack frame restoring constructs with calls/jumps to the virus entry
   
   In both cases all occurrences of the original code will be replaced by
   jumps/calls to the virus entry code.
   
   Virus Encryption
   
   The virus is encrypted with an XTEA based algorithm, and is being
   decrypted in several stages (partial decryption of code ranges) and in
   multiple layers.
   The polymorphism is rather strong, and the generated code features
    massive junk insertion and some anti-emulation /
   anti-debugging tricks. Additionally
   the polymorphism routine uses a checksum generated over parts of the
   host file to initialize its random number generator. The decryptor code however
    is completely identical throughout all generations for one particular host file.
   
   Infection Targets
   
   File Infection:
   
   The Virus targets Win32 PE Executables and Screensavers (*.EXE *.SCR)
   
   Files that contain the following substrings will not be infected by the
   virus:
   
   a2 adaptec adinf agnitum ahead aladdin alarm alwil alwil anti armor
   aspack assemble astonsoft avast avg avp avwin avx aware backdoor
   barracuda blackice blindwrite burn cillin clean clonecd common copystar
   dbg debug defender dfrgntfs disasm doctor drweb dss eeye elaborate
   eliashim esafe eset etrust expl f- f-prot firewall forti fpr frisk fsav
   'gear software' gladiator grisoft guard hack heal hijack hunter ibm ida
   imapi infosystems inoc inoculate intermute iss kasp 'kaspersky' kerio
   lavasoft mc mcafee mirc mon nav neolite nero newtech nod nod32 norman
   norton numega nvc olly ort ositis outpost pack panda pav pebundle
   pecompact personal pklite pkware principal process protect proxy qualys
   rav rescue retina root route roxio sateira scan scn sec secure security
   setup shield slysoft softice softwin sonique sophos spf spider spy spy
   spyware sqstart starforce steganos 'swift sound' sygate symantec tb tds3
   temp tenable tiny tmp trend micro trojan upx viri virus vsaf vswp vtf
   watch webroot 'zone labs'
   
   The virus trashes about 5-10% of the host's files, either
   with incomplete infections or with an otherwise broken decryptor.
   
   Memory Injection
   
   It injects code into running processes, creating Hooks within the
   targets private in-memory-copy of kernel32.dll.
   Hooked functions are:
   CreateFileA CreateFileW CreateProcessA CreateProcessW ExitProcess
   LoadLibraryExA LoadLibraryExW SearchPathA SearchPathW
   
   The following processes are excluded from the code injection:
   csrss ctfmon drwatson drwtsn32 dumprep dwwin savedump smss spoolsv temp
   
   P2P Capabilities
   
   The Virus also has P2P Worm-Like spreading functionality and is able to
   connect to the following list of tracking servers:
   
   gcache.sexter.com:8080/**********
   abacustechno**********:8000/
   gwc2.mine.**********
   dhcp-0-c-41-**********:8088/
   filecloset.com/gwebcache/**********
   gwc2.908middle.us:3559/**********
   crab2.dyndns.org:8002/**********
   gwc1c.olden.ch.3557.nyud.net:8090**********
   ygwc.y-0.net/**********
   gwc.m**********:3333/
   bbs.robertwoolley.co.uk/GWebCache/**********
   cache.ki**********:8000/
   node04.hewson.cns.ufl.edu:8080**********
   gwc.jooz.net:8010**********
   node02.hewson.cns.ufl.edu:8080**********
   gcache.clo**********
   loot.alumnigr**********
   crabcake.dy**********:9627/
   gwc1.nouiz.org/servlet/GWebC**********
   pokerface.bis**********:3558/
   crab2.dyndns.org:30002**********
   kisama.a**********8080/
   starscream.dynal**********
   toadface.bis**********:3558/
   node00.hewson.cns.ufl.edu:8080**********
   g2cache.theg2.net/gwcache/**********
   galvatron.dyndns.org:59009**********
   gwcrab.sarca**********:8001/
   cache.war**********:8000/
   gwc.nona**********:8080/
   krill.shacknet.nu:20095**********
   gwebcache.linux**********
   overbeer.ghostwhite**********
   hmmm.servebeer.com/gwebcache/**********
   gwebcache.nerdboy.com.au/cgi-bin/**********
   gwebcache.bearshare.net/**********
説明の挿入者 Andrei Ivanes の 2006年5月3日水曜日
説明の更新者 Andrei Ivanes の 2006年6月2日金曜日

戻る . . . .