virus logo Virus

W32/Jeefo.A

description-logoAnalysis


  • This is a 32-bit virus with an infection size of 36,352 bytes.

  • When executed, it drops an infectious binary into the Windows folder as svchost.exe. On Windows NT/2000/XP systems, it registers this file to run as a service at startup.

  • Under Windows NT/2000/XP, the virus uses imports from ADVAPI32.DLL  in order to create and initiate itself to run as a service. The service listed as Power Manager  will be visible via the Administrator Tools / Services applet. Below are properties of the service created by this virus:
    • Display Name: Power Manager
    • Description: Manages the power save features of the computer
    • Path to executable: undefinedWindowsundefined\svchost.exe
    • Startup type: Automatic
    • Log on as: Local System account
    • Dependencies: <No Dependencies>

  • While the virus runs as a service, it slowly infects other 32-bit PE files on the system by prepending its code to the target files.

  • When the virus creates a service, the following keys are created in the system registry:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POWERMANAGER
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POWERMANAGER\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POWERMANAGER\0000\Control
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager\Security
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000\Control
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerManager
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerManager\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PowerManager\Security

  • The above listed keys are populated with data referencing how the virus will load and the location of the file as in the following example:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager\
    "Description" = Manages the power save features of the computer.
    "DisplayName" = Power Manager
    "ErrorControl" = 00, 00, 00, 00
    "ImagePath" = C:\WINNT\svchost.exe
    "ObjectName" = LocalSystem
    "Start" = 02, 00, 00, 00
    "Type" = 10, 00, 00, 00

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PowerManager\Enum\
    "0" = Root\LEGACY_POWERMANAGER\0000
    "Count" = 01, 00, 00, 00
    "NextInstance" = 01, 00, 00, 00

  • The virus contains the string Ijeefo!Esbhpo! in its code.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-03-11 92.02346
2024-01-22 92.00882
2024-01-20 92.00810
2024-01-10 92.00520
2024-01-03 92.00311
2023-12-27 92.00101
2023-12-11 91.09607
2023-12-06 91.09473
2023-12-01 91.09313
2023-11-19 91.08956
ID 21608
Released Apr 30, 2003
Description
Updated		 Feb 03, 2015
Aliases HLL.W32.Jeefo, W32/Jeefo, W32/Jeefo-A, Win32.HLLP.Jeefo.36352, Win32/Hidrag.A, Win32/HLLP.Jeefo
Platform Profile Win32 file format / PE 32 bit