The Win32/Jeefo virus checks for the presence of a particular mutex to determine if an instance of the virus is already running on the your PC.
The mutex is named Global\PowerManagerMutant if the virus is running on the following versions of Windows:
- Windows XP
- Windows Server 2003
- Windows 2000
The mutex is named PowerManagerMutant on other versions of Windows.
When a PE file that was infected is run, the virus:
- Closes the mutex.
- Creates the file svchost.exe in the %SystemRoot% folder. This svchost.exe file is a copy of the original virus. The file is at least 35,328 bytes long.
- Attempts to run the original content of the PE file by running the dropped svchost.exe with a command-line argument as follows:
- %windir%\svchost.exe <full path to infected PE file> <infected PE file command-line argument>
If started without command-line arguments, it:
- Closes itself if the mutex was present when the virus started, or the PC is running Windows 95, Windows 98, Windows ME, or Windows NT 4.0.
- Infects Windows portable executable (PE) files that are greater than or equal to 102,400 bytes long.
- On Windows 95, Windows 98, Windows ME, and Windows NT 4.0, it changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Sets value: "PowerManager"
With data: "<name of virus file that is running>"
- On other versions of Windows it installs itself as a service called "PowerManager", with:
If started with one or more command-line arguments, it:
- Interprets the first argument as the name of a PE file.
- Tries to disinfect that PE file to produce the original PE content, then attempts to overwrite the infected file with its original content.
- Saves the disinfected file to %TEMP% if it cannot overwrite the infected file.
- Tries to run the disinfected PE file.
The following can indicate that you have this threat on your PC:
On Windows 95, Windows 98, Windows ME, and Windows NT 4.0, you see the following registry entry:
Registry value: PowerManager
containing string value: <name of virus file that is running>
in key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices