Dupa ce 6 antivirusi au gasit virusul
(W32.Hidrag-A, W32/Jeefo-A), dar nu l-au putut indeparta, iata cum am facut:
1. Downloadeaza jeefosfx.exe
(https://www.sophos.com/support/cleaners/jeefosfx.exe) si jeefogui.com
(https://www.sophos.com/support/cleaners/jeefogui.com);
2. Extrage jeefocli.exe in cale implicita (C:\Sophtemp) si copiaza jeefogui.com
in acest director;
3. Boot in SafeMode;
4. Run - cmd;
5. cd sophtemp;
6. jeefocli.exe
Asta este tot!
ziemenz
Problema voastra se putea rezolva super simplu. Jeefo infecteaza numai executabilii ... daca incerci cu norton 2004 pro sau bit mai rau tii strica. Cauti pe google "jeefo antivirus" si o sa gasesti "jeefosfx.exe" include antivirusul si cateva instructiu 131s1821b ni. Dai un restart si pornesti in SAFE MODE ... dai drumu la antivirus , "jeefo.cli" parca se numea. Prima oara o sa stearga VHOST din windows.VHOST este principala cale de raspandire.Restu` e floare la ureche. Bafta
dan666
are
doua module,unu este ptr dos;se numesc jeefoguy.com si jeefosfx.exe
le-am luat de pe sophos.com parca....
https://www.sophos.com/virusinfo/analyses/w32jeefoa.html
W32/Jeefo-A infects Windows PE executables with an extension of EXE and a filesize greater than 102,399 bytes, in all folders of all fixed drives C: to Z:.
The virus runs continuously in the background, infecting files at periodic intervals.
When an infected file is run, the virus dropper is extracted to the Windows folder as SVCHOST.EXE and the virus disinfects the host executable, although not all infected files will be successfully returned to their original state.
Under Windows 95/98/Me the virus creates the following registry entries so that the virus is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
PowerManager= <pathname of virus>
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
PowerManager= "C:\<Windows>\SVCHOST.EXE"
Under Windows NT based systems (Windows NT/2000/XP) the virus creates a service named PowerManager with the startup type set to automatic, so that the virus is run automatically on startup.
https://www.viruslist.com/en/viruslist.html?id=61035
Aliases Win32.Hidrag (Kaspersky Lab) is also known as: W32/Jeefo (McAfee), W32.Jeefo (Symantec), Win32.HLLP.Jeefo.36352 (Doctor Web), W32/Jeefo-A (Sophos), Win32/HLLP.Jeefo (RAV), PE_JEEFO.A (Trend Micro), W32/Jeefo (H+BEDV), W32/Jeefo.A (FRISK), Win32:Jeefo (ALWIL), Win32/Hidrag.A (Grisoft), Win32.Jeefo.A (SOFTWIN)
Technical Details
Hidrag is a non-dangerous memory resident parasitic Win32 virus. The virus infects Win32 PE EXE files. While infecting the virus encrypts a block of victim files.
When the Hidrag virus runs it creates a copy of itself that is about 36K in size and places it in the Windows directory using the name svchost.exe. Next Hidrag registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
PowerManager = %WindowsDir%\SVCHOST.EXE
Hidrag then stays in Windows memory as an active process, searches for EXE files on all drives - starting with the C: drive - and infects them.
The virus does not manifest itself in any way.
The virus contains the following encrypted text strings:
Hidden Dragon virus. Born in a tropical swamp.
PowerManagerMutant
https://www.bitdefender.ro/bd/site/search.php
|
Nume: |
Win32.Jeefo.A |
|
Alias: |
Win32.Jeffo.A |
|
Tip: |
Executable Infector |
|
Marime: |
36.352 bytes, written in MinGW |
|
Descoperit: | |
|
Detectat: | |
|
Raspandire: |
Medie |
|
Risc: |
Mediu |
|
ITW: |
Da |
Simptome:
- Presence of the file "svchost.exe" in the Windows directory
- Under Windows 9x/Me, the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices contains the value "PowerManager" which points to
"svchost.exe"
- Under Windows NT/2000/XP, presence of the "Power Manager" service.
This service has the description: 'Manages the power save features of the
computer.'
Descriere tehnica: This executable
file infector is written in MinGW and presents a very interesting (and
difficult to disinfect) infection technique. It contains various strings,
encrypted with a trivial algorithm:
.text:004012B0 decryption_loop:
.text:004012B0 mov cl, [edx+ebx]
.text:004012B3 dec cl
.text:004012B5 mov [edx+eax], cl
.text:004012B8 inc edx
.text:004012B9 cmp edx, edi
.text:004012BB jl short decryption_loop
When an infected file is executed for the first time, the virus receives
control and dumps a copy of itself in the Windows directory as svchost.exe and
registeres itself to be executed at every system startup: under Windows 9x/Me
it adds a key to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices; under
NT/2000/XP, it creates a service called "Power Manager".
The file infection algorithm is complex; in some cases, infected files get
corrupted (the virus is not capable of handling certain resource types).
The infected file has the following layout:
1) Virus
2) Original file's resources (bitmaps, icons, etc) -> thus the infected file
has the same main icon as the original file
3) Original file chunks - encrypted
The disinfection routine decrypts the file chunks, re-links the file, adds the
resources and re-locates them to the new relative virtual address. Resource
relocation is tricky and in some cases may cause the virus to fail (crash);
however, these files are correctly disinfected by BitDefender.
The virus contains the following text string: "Hidden Dragon virus. Born
in a tropical swamp." encrypted with the same trivial encryption algorithm
as above. When encrypted, the word "hidden" is transformed to
"iJeefo" (this is where this virus got his name from).
Instructiuni de dezinfectie:
Let BitDefender disinfect the files it found infected. When BitDefender
encounters the "host" file (pure virus dropper), it will
automatically delete it.
Utilitar de dezinfectie:
N/A
Virus analizat de:
BitDefender AV Research Team
|
