This application requires Javascript for optimal performance.

W32/Polip.A - Released Apr 14, 2006 - Last Updated May 01, 2006

Alias/es

P2P-Worm.Win32.Polipos.a [KAV], PE_POLIP.A [TM], W32.Polip [SAV], W32/Polip.A!worm.p2p, W32/Polipos-A [Sophos], W32/Polipos.A, W32/Polipos.A [FP], W32/Polipos.A!worm.p2p, W32/Polipos.V12

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • infected files grow in size by 60Kb or more

Detailed Analysis

This is a polymorphic virus for 32bit portable executable (PE) files.

When this virus infects a target file, it adds a PE section reference into the PE header, and an additional PE section is inserted into the host file. The entry point may also be modified to point directly to the infectious code, but in some cases, the viral code is referenced later in the code sequence. The new code section may appear between existing code sections, or it could be an appended section. Files that become infected grow in size by 60Kb or more.

Miscellaneous
The new section will not have a name association such as ".idata" or ".rsrc".

Recommended Action



    FortiGate systems:

  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option


    • FortiClient systems:

  • Quarantine/Delete infected files detected and replace infected files with clean backup copies


Reference: ID - 170607