Virus:Win32/Polip.A is a memory resident polymorphic virus that infects 32 bit applications with '.exe' or '.scr' file extensions. This virus may also use the Gnutella peer-to-peer network protocol to distribute a copy of itself.
Installation
When executing an infected program, the virus may load its infectious code into memory, while seeking target files to infect.
The virus code is injected in all the running processes, except in those process names containing the following strings:
savedump
dumprep
dwwin
drwtsn32
drwatson
kernel32.dll
smss
csrss
spoolsv
ctfmon
temp
Spreads Via…
File Infection
The virus places its code into the unused areas, or cavities, of host files. The virus uses several techniques in order to avoid detection, for example, this virus contains:
- multiple encryption layers
- code blocks spread throughout the file
- a polymorphic engine for the decryptor
- multiple anti-debugging and anti-emulation tricks.
The virus searches for file infection candidates within a list of folders, regardless of the drive letter:
'\program files'
'\windows'
'\win98'
'\win98se'
'\winxp'
'\win2000'
'\winnt'
'\winme'
Win32/Polip.A may avoid infecting the files that contain certain substrings, such as some of the following:
nav
pav
rav
fsav
root
esafe
norman
defender
grisoft
{
}
$
The virus may also specifically target the following files for infection:
<system folder>\logonui.exe
<system folder>\logon.scr
<currently set screen saver path and file>
The currently set screen saver path is stored as data in the registry value "SCRNSAVE.EXE" in the subkey "HKEY_CURRENT_USER\Control Panel\Desktop".
Gnutella P2P Networks
Win32/Polip.A may send a copy of itself to connected clients using built-in Gnutella P2P network protocol version 0.6. The virus uses a predefined catalogue of server nodes (GWebCaches) to retrieve a list of connected clients:
gcache.sexter.com:8080/gwc/
abacustechnology.net:8000/
gwc2.mine.nu:3333/
dhcp-0-c-41-d1-94-ce.cpe.quickclic.net:8088/
filecloset.com/gwebcache/gcache.cgi
gwc2.908middle.us:3559/gwc2/
crab2.dyndns.org:8002/gwc/
gwc1c.olden.ch.3557.nyud.net:8090/gwc/
ygwc.y-0.net/ygwc.php
gwc.mine.nu:3333/
bbs.robertwoolley.co.uk/GWebCache/gcache.php
cache.kicks-ass.net:8000/
node04.hewson.cns.ufl.edu:8080/pwc.cgi
gwc.jooz.net:8010/gwc/
node02.hewson.cns.ufl.edu:8080/pwc.cgi
gcache.cloppy.net/
loot.alumnigroup.org/
crabcake.dynalias.net:9627/
gwc1.nouiz.org/servlet/GWebCache/req
pokerface.bishopston.net:3558/
crab2.dyndns.org:30002/gwc/
kisama.ath.cx:8080/
starscream.dynalias.com/
toadface.bishopston.net:3558/
node00.hewson.cns.ufl.edu:8080/pwc.cgi
g2cache.theg2.net/gwcache/lynnx.asp
galvatron.dyndns.org:59009/gwcache
gwcrab.sarcastro.com:8001/
cache.warrink.ath.cx:8000/
gwc.nonamer.ath.cx:8080/
krill.shacknet.nu:20095/gwc
gwebcache.linuxonly.nl/
overbeer.ghostwhitecrab.de/
hmmm.servebeer.com/gwebcache/gcache.cgi
gwebcache.nerdboy.com.au/cgi-bin/perlgcache.cgi
gwebcache.bearshare.net/gcache.Php
The virus shares a copy of itself to clients, sending the file as the name "pdmckaziejdntbJ".
Payload
Deletes Files
Win32/Polip.A may delete Antivirus checksum database files found in the current folder if the filename matches any from the following list:
drwebase.vdb
avg.avi
vs.vsn
anti-vir.dat
avp.crc
chklist.ms
ivb.ntz
ivp.ntz
chklist.cps
smartchk.ms
smartchk.cps
aguard.dat
avgqt.dat
lguard.vps
Additional Information
The decrypted virus body contains the following string reference:
'Win32.Polipos v1.2 by Joseph.'
Analysis by Cristian Craioveanu
