The Win32/Parite virus is a polymorphic file infector. When run on a system, Win32/Parite takes the following actions:
- Drops a dynamic link library (DLL) to the Windows Temp directory, composing the name based on the current system time at the time of infection, using the format <3 letters><4 hex characters>.tmp
- Injects the DLL into the explorer.exe process and modifies the registry to point to that DLL:
Adds Subkey: PINF
To key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
- Infects all portable EXE and SCR files found on local and shared network drives.
The presence of registry subkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF may be indication of a Win32/Parite infection.