Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.Polipos

(PE_POLIP.A, W32/Polip.A, W32/Polip, System error, Parser error, Generic.dx, Win32.Polip.Gen, W32/Autorun.worm.gen, Virus:Win32/Cekar.B, Win32.Polip.A, Malware-Cryptor.Win32.Palka, Virus:Win32/Polip.A , Win32/Bacalid, Virus:Win32/Polip.A, Worm/Delf.FOG, TR/VB.Downloader.Gen, P2P-Worm.Win32.Polip.a, WORM_PERLOVGA.F, Win32/Polipos, Win32.Bacalid.A, Worm.Win32.AutoRun.aaq, W32/Polip.A - Packed, Virus.Win32.Polip.A)

Virus description added:

Win32.Polipos is a complicated polymorphic virus.

The virus affects the Windows executable files putting the polymorphic decryptor code into vacant areas of the code sections. The main code-protected body of the virus goes into a new section of the infected executable file.

When launched, the virus injects its code into all active processes. The exceptions are the processes, which have the following names:

savedump, dumprep, dwwin, drwtsn32, drwatson, kernel32.dll, smss, csrss, spoolsv, ctfmon, temp.

Self-decoded and extracted copies of the virus become resident in the memory of each active application. Each copy is responsible for a certain type of action: searching for files which are appropriate for infection, the process of infection itself, P2P network (based on Gnutella networks) function control and so on. Infected files become available for all the users of the network.

Win32.Polipos intercepts the following API functions:

ExitProcess, CreateProcess, CreateFileA, LoadLibraryExA, SearchPathA, CreateProcessW, CreateFileW, LoadLibraryExW, SearchPathW.

When the abovementioned functions are executed, the infection of new files takes place. The virus puts the infected file with overlays (sfx-archives, installation programs and so on) in control and creates a clean ptf*.tmp copy of the file in the temporary directory. Then it launches this file.

The virus removes the following antivirus program files:

drwebase.vdb, avg.avi, vs.vsn, antivir.dat, avp.crc, chklist.ms,ivb.ntz, ivp.ntz, chklist.cps, smartchk.ms, smartchk.cps, aguard.dat, avgqt.dat, lguard.vps.

Win32.Polipos does not infect files, whose names have the following combinations:

tb dbg f- nav pav mon rav nvc fpr dss ibm inoc scn pack vsaf vswp fsav adinf sqstart mc watch kasp nod setup temp norton mcafee anti tmp secure upx forti scan zone labs alarm symantec retina eeye virus firewall spider backdoor drweb viri debug panda shield kaspersky doctor trend micro sonique cillin barracuda sygate rescue pebundle ida spf assemble pklite aspack disasm gladiator ort expl process eliashim tds3 starforce safe'n'sec avx root burn aladdin esafe olly grisoft avg armor numega mirc softice norman neolite tiny ositis proxy webroot hack spy iss pkware blackice lavasoft aware pecompact clean hunter common kerio route trojan spyware heal alwil qualys tenable avast a2 etrust spy steganos security principal agnitum outpost avp personal softwin defender intermute guard inoculate sophos frisk alwil protect eset nod32 f-prot avwin ahead nero blindwrite clonecd elaborate slysoft hijack roxio imapi newtech infosystems adaptec swift sound copystar astonsoft gear software sateira dfrgntfs

The virus contains the line “Win32.Polipos v1.2 by Joseph”.


The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040