Win32/Floxif [Threat Name] go to Threat

Win32/Floxif.H [Threat Variant Name]

Category virus
Size 78279 B
Detection created Sep 04, 2015
Detection database version 12204
Aliases Virus.Win32.Pioneer.cz (Kaspersky)
  W32.Fixflo.B!inf (Symantec)
  Win32.FloodFix.7 (Dr.Web)
  Virus:Win32/Floxif.H (Microsoft)
Short description

Win32/Floxif.H is a file infector.

Installation

When executed, the virus creates the following files:

  • C:\­Program Files\­Common Files\­System\­symsrv.dll (69337 B, Win32/Floxif.E)

In order to be executed on every system start, the virus sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "AppInit_DLLs" = "C:\­Program Files\­Common Files\­System\­symsrv.dll"
    • "LoadAppInit_DLLs" = 1
    • "RequireSignedAppInit_DLLs" = 0

The virus may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun" = 145
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­explorer\­Advanced\­Folder\­SuperHidden]
    • "Type" = "radio"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "SFCDisable" = 4294967197

The virus hooks the following Windows APIs:

  • CredReadW (advapi32.dll)
  • CreateServiceA (advapi32.dll)
  • CreateServiceW (advapi32.dll)
  • OpenServiceA (advapi32.dll)
  • OpenServiceW (advapi32.dll)
  • WinVerifyTrust (WINTRUST.dll)
  • CreateFileW (kernel32.dll)
  • ExitProcess (kernel32.dll)
  • RegOpenKeyExA (kernel32.dll)
  • RegOpenKeyExW (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)
  • MessageBoxTimeoutW (user32.dll)
  • KiUserExceptionDispatcher (ntdll.dll)
  • WahReferenceContextByHandle (ws2help.dll)
File infection

The virus infects executable files.


The virus searches local drives for files with the following file extensions:

  • .dll
  • .ocx
  • .exe

If a folder name matches one of the following strings, files inside it are not infected:

  • %windir%
  • 股票

The host file is modified in a way that causes the virus to be executed prior to running the original code.


The size of the inserted code is 78279 B .


Other information

The virus terminates its execution if it detects that it's running in a specific virtual environment.


The virus interferes with the operation of some security applications to avoid detection.


The virus contains a list of (2) URLs. The HTTP protocol is used in the communication.


It tries to download several files from the addresses.


These are stored in the following locations:

  • %drive%\­pagefile.pif
  • %drive%\­autorun.inf
  • %temp%\­update.exe
  • C:\­Program Files\­Common Files\­System\­symsrv.dll.000

The virus executes the following files:

  • %temp%\­update.exe

The virus attempts to delete the following files:

  • C:\­Program Files\­Common Files\­System\­symsrv.dll.dat
  • C:\­DOCUME~1\­ADMINI~1\­LOCALS~1\­Temp\­A1D26E2\­*.tmp

Please enable Javascript to ensure correct displaying of this content and refresh this page.