Follow:

 

Win32/Jeefo


Microsoft security software detects and removes this virus.

The virus infects executable files, such as files with a .exe extension. When an infected file runs, the virus tries to run the original content of the file while it infects other executable files on your PC.

This threat might have got on your PC if you inserted a removable disk or accessed a network connection that was infected.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

The Win32/Jeefo virus checks for the presence of a particular mutex to determine if an instance of the virus is already running on the your PC.

The mutex is named Global\PowerManagerMutant if the virus is running on the following versions of Windows:

  • Windows XP
  • Windows Server 2003
  • Windows 2000

The mutex is named PowerManagerMutant on other versions of Windows.

Payload

Infects files

When a PE file that was infected is run, the virus:

  • Closes the mutex.
  • Creates the file svchost.exe in the %SystemRoot% folder. This svchost.exe file is a copy of the original virus. The file is at least 35,328 bytes long.
  • Attempts to run the original content of the PE file by running the dropped svchost.exe with a command-line argument as follows:
    • %windir%\svchost.exe <full path to infected PE file> <infected PE file command-line argument>

If started without command-line arguments, it:

  • Closes itself if the mutex was present when the virus started, or the PC is running Windows 95, Windows 98, Windows ME, or Windows NT 4.0.
  • Infects Windows portable executable (PE) files that are greater than or equal to 102,400 bytes long.
  • On Windows 95, Windows 98, Windows ME, and Windows NT 4.0, it changes the following registry entry so that it runs each time you start your PC:  
      
    In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    Sets value: "PowerManager"
    With data: "<name of virus file that is running>"
     
  • On other versions of Windows it installs itself as a service called "PowerManager", with:
    • Display name: Power Manager 
    • Description: Manages the power save features of the computer

If started with one or more command-line arguments, it:

  • Interprets the first argument as the name of a PE file.
  • Tries to disinfect that PE file to produce the original PE content, then attempts to overwrite the infected file with its original content.
  • Saves the disinfected file to %TEMP% if it cannot overwrite the infected file.
  • Tries to run the disinfected PE file.

Symptoms

The following can indicate that you have this threat on your PC:

  • On Windows 95, Windows 98, Windows ME, and Windows NT 4.0, you see the following registry entry:
Registry value: PowerManager
containing string value: <name of virus file that is running>
in key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • All other versions of Window, you see a service called "PowerManager", with:
    • Display name: Power Manager 
    • Description: Manages the power save features of the computer
  • You have a file named svchost.exe in the %SystemRoot% folder. (On Windows NT-based systems, such as Windows 2000, Windows XP, and Windows Server 2003, there is a legitimate file named svchost.exe in the folder.)

Prevention


Alert level: High
This entry was first published on: May 03, 2006
This entry was updated on: Feb 10, 2015

This threat is also detected as:
  • W32/Jeefo (McAfee)