Win32/Floxif [Threat Name] go to Threat
Win32/Floxif.H [Threat Variant Name]
| Category | virus |
| Size | 78279 B |
| Aliases | Virus.Win32.Pioneer.cz (Kaspersky) |
| W32.Fixflo.B!inf (Symantec) | |
| Win32.FloodFix.7 (Dr.Web) | |
| Virus:Win32/Floxif.H (Microsoft) |
Short description
Win32/Floxif.H is a file infector.
Installation
When executed, the virus creates the following files:
- C:\Program Files\Common Files\System\symsrv.dll (69337 B, Win32/Floxif.E)
In order to be executed on every system start, the virus sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
- "AppInit_DLLs" = "C:\Program Files\Common Files\System\symsrv.dll"
- "LoadAppInit_DLLs" = 1
- "RequireSignedAppInit_DLLs" = 0
The virus may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "ShowSuperHidden" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoDriveTypeAutoRun" = 145
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\SuperHidden]
- "Type" = "radio"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "SFCDisable" = 4294967197
The virus hooks the following Windows APIs:
- CredReadW (advapi32.dll)
- CreateServiceA (advapi32.dll)
- CreateServiceW (advapi32.dll)
- OpenServiceA (advapi32.dll)
- OpenServiceW (advapi32.dll)
- WinVerifyTrust (WINTRUST.dll)
- CreateFileW (kernel32.dll)
- ExitProcess (kernel32.dll)
- RegOpenKeyExA (kernel32.dll)
- RegOpenKeyExW (kernel32.dll)
- CreateProcessInternalW (kernel32.dll)
- MessageBoxTimeoutW (user32.dll)
- KiUserExceptionDispatcher (ntdll.dll)
- WahReferenceContextByHandle (ws2help.dll)
File infection
The virus infects executable files.
The virus searches local drives for files with the following file extensions:
- .dll
- .ocx
- .exe
If a folder name matches one of the following strings, files inside it are not infected:
- %windir%
- 股票
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The size of the inserted code is 78279 B .
Other information
The virus terminates its execution if it detects that it's running in a specific virtual environment.
The virus interferes with the operation of some security applications to avoid detection.
The virus contains a list of (2) URLs. The HTTP protocol is used in the communication.
It tries to download several files from the addresses.
These are stored in the following locations:
- %drive%\pagefile.pif
- %drive%\autorun.inf
- %temp%\update.exe
- C:\Program Files\Common Files\System\symsrv.dll.000
The virus executes the following files:
- %temp%\update.exe
The virus attempts to delete the following files:
- C:\Program Files\Common Files\System\symsrv.dll.dat
- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\A1D26E2\*.tmp