FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Win32.Polipos

(PE_POLIP.A, W32/Polip.A, W32/Polip, System error, Parser error, Generic.dx, Win32.Polip.Gen, W32/Autorun.worm.gen, Virus:Win32/Cekar.B, Win32.Polip.A, Malware-Cryptor.Win32.Palka, Virus:Win32/Polip.A , Win32/Bacalid, Virus:Win32/Polip.A, Worm/Delf.FOG, TR/VB.Downloader.Gen, P2P-Worm.Win32.Polip.a, WORM_PERLOVGA.F, Win32/Polipos, Win32.Bacalid.A, Worm.Win32.AutoRun.aaq, W32/Polip.A - Packed, Virus.Win32.Polip.A)

Virus description added:

Win32.Polipos is a complicated polymorphic virus.

The virus affects the Windows executable files putting the polymorphic decryptor code into vacant areas of the code sections. The main code-protected body of the virus goes into a new section of the infected executable file.

When launched, the virus injects its code into all active processes. The exceptions are the processes, which have the following names:

savedump, dumprep, dwwin, drwtsn32, drwatson, kernel32.dll, smss, csrss, spoolsv, ctfmon, temp.

Self-decoded and extracted copies of the virus become resident in the memory of each active application. Each copy is responsible for a certain type of action: searching for files which are appropriate for infection, the process of infection itself, P2P network (based on Gnutella networks) function control and so on. Infected files become available for all the users of the network.

Win32.Polipos intercepts the following API functions:

ExitProcess, CreateProcess, CreateFileA, LoadLibraryExA, SearchPathA, CreateProcessW, CreateFileW, LoadLibraryExW, SearchPathW.

When the abovementioned functions are executed, the infection of new files takes place. The virus puts the infected file with overlays (sfx-archives, installation programs and so on) in control and creates a clean ptf*.tmp copy of the file in the temporary directory. Then it launches this file.

The virus removes the following antivirus program files:

drwebase.vdb, avg.avi, vs.vsn, antivir.dat, avp.crc, chklist.ms,ivb.ntz, ivp.ntz, chklist.cps, smartchk.ms, smartchk.cps, aguard.dat, avgqt.dat, lguard.vps.

Win32.Polipos does not infect files, whose names have the following combinations:

tb dbg f- nav pav mon rav nvc fpr dss ibm inoc scn pack vsaf vswp fsav adinf sqstart mc watch kasp nod setup temp norton mcafee anti tmp secure upx forti scan zone labs alarm symantec retina eeye virus firewall spider backdoor drweb viri debug panda shield kaspersky doctor trend micro sonique cillin barracuda sygate rescue pebundle ida spf assemble pklite aspack disasm gladiator ort expl process eliashim tds3 starforce safe'n'sec avx root burn aladdin esafe olly grisoft avg armor numega mirc softice norman neolite tiny ositis proxy webroot hack spy iss pkware blackice lavasoft aware pecompact clean hunter common kerio route trojan spyware heal alwil qualys tenable avast a2 etrust spy steganos security principal agnitum outpost avp personal softwin defender intermute guard inoculate sophos frisk alwil protect eset nod32 f-prot avwin ahead nero blindwrite clonecd elaborate slysoft hijack roxio imapi newtech infosystems adaptec swift sound copystar astonsoft gear software sateira dfrgntfs

The virus contains the line “Win32.Polipos v1.2 by Joseph”.