Description
This is virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it’s quite common for viruses to do nothing more than spread from one system to another.
Aliases –
Microsoft – Trojan:Win32/Bagsu!rfn
Symantec – Trojan.Gen
Indication of Infection
Presence of above mentioned activities
Methods of Infection
“Generic.e!71CDC3201116” searches local drives, removable and network shares for Windows PE executable files to infect. It replaces the original entry point of the files it infects with its viral code and appends itself to the last section of the PE image
Generic.e!71CDC3201116” is a parasitic virus that infects Win32 PE executable files.
Upon execution the Virus tries to connect to the following IPs.
112.[removed].12
irc.s[removed]l.co.cc
Upon execution the following files have been added to the system:
%TEMP%\lsass.exe
The below entries confirm that the Virus gets executed on every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Firewall: “%TEMP%\lsass.exe”
HKEY_USER\S-1-5-21-[varies]\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewall: “%TEMP%\lsass.exe”