Follow:

 

Virus:Win32/Jeefo.A


Win32/Jeefo is a parasitic file-infector virus. The virus infects Microsoft Windows portable executable (PE) files that are greater than or equal to 102,400 bytes long. When an infected PE file runs, the virus tries to run the original content of the file.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

The Win32/Jeefo virus checks for the presence of a particular mutex to determine if an instance of the virus is already running on the infected computer. The mutex is named Global\PowerManagerMutant if the virus is running on Windows 2000, Windows XP, or Windows Server 2003. The mutex is named PowerManagerMutant on other versions of Windows.
 
If started without command-line arguments, Win32/Jeefo performs the following actions:
  • Terminates if the  mutex was present when the virus started, or t he infected computer is running Windows 95, Windows 98, Windows ME, or Windows NT 4.0.
  • Infects Windows portable executable (PE) files that are greater than or equal to 102,400 bytes long.
  • On Windows 95, Windows 98, Windows ME, and Windows NT 4.0, Win32/Jeefo registers itself as a service: 
    Adds value: PowerManager
    With data: <name of virus file that is running>
    in registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    This registry modification causes the virus to run automatically as a service each time Windows starts. On Windows 95, Windows 98, and Windows ME, service processes do not appear in Windows Task Manager.
  • On other versions of Windows, Win32/Jeefo:
    Registers itself as a service named: PowerManager
    with display name: Power Manager 
    with description: Manages the power save features of the computer.
 
If started with one or more command-line arguments, Win32/Jeefo:
  • Interprets the first argument as the name of a PE file.
  • Tries to disinfect that PE file to produce the original PE content, then attempts to overwrite the infected file with its original content.
  • Saves the disinfected file to %temp% if it cannot overwrite the infected file.
  • Tries to run the disinfected PE file.
 
When a PE file infected by Win32/Jeefo runs, the program performs the following actions:
  • Closes the mutex.
  • Creates file svchost.exe in the Windows folder. This svchost.exe file is a copy of the original stand-alone Win32/Jeefo virus. The file is at least 35,328 bytes long.
  • Attempts to run the original content of the PE file by running the dropped svchost.exe with a command-line argument as follows:
    %windir%\svchost.exe <full path to infected PE file> <infected PE file command-line argument>

Symptoms

The following symptoms may indicate that a computer is infected by a variant of Win32/Jeefo:
  • On Windows 95, Windows 98, Windows ME, and Windows NT 4.0 only:
    Presence of registry value: PowerManager
    containing string value: <name of virus file that is running>
    in registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • All other versions of Windows:
    Presence of a service named: PowerManager
    with display name: Power Manager 
    with description: Manages the power save features of the computer.
  • Presence of a file named svchost.exe in the Windows folder. (Note: On Windows NT-based systems such as Windows 2000, Windows XP, and Windows Server 2003, there is a legitimate file named svchost.exe in the Windows system folder.)

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.183.2308.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Apr 20, 2007
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Virus.Win32.Hidrag.a (Kaspersky)
  • W32/Jeefo (McAfee)
  • PE_JEEFO.A (Trend Micro)