Memories: Win32.Polipos.A
my dekstop was full of this worm
including the anti-virus itself =____________________=
*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*
( Win32.Polipos, Win32/Polip.A, W32.Polip, W32/Polipos-A, P2P-Worm.Win32.Polip.a, W32/Polipos.V12 )
Spreading: low
Type: Virus, Worm
Damage: medium
Platform: Win32
Size: ~65 kbytes
Discovered: Apr 2006
SYMPTOMS:
Size of executable increases with about 60-70 KB.
There could be detected unusual network activity.
Suspect activity for the running processes (searching and modifying executable files).
TECHNICAL DESCRIPTION:
Win32.Polip.A is a dangerous, polymorphic file infector, and entry point obfuscating virus that infects Windows portable executable (PE) files, with a worm-like spreading capability. It’s targets are EXE and SCR files in the Program files folder and Windows System folder of the infected computer. It can also spread in P2P networks and disable security-related software.
It is a memory-resident virus(network worm). The worm will infect Windows systems and spreads through P2P software such as Gnucleus 2.0.0.6 and BearShare. Once executed, it injects code in the running processes. The first files it infects are those located in %ProgramFiles% and %WINDIR% directories. But it hooks imported functions for the infected proceses, so that all executables accessed by those processes will be infected.
This infector uses different encryption layers, the first of them being the hardest to decrypt. It is a simplified version of XTEA (eXtended Tiny Encryption Algorithm), but decrypting it could take a long time.
It also has an advanced polymorphic engine, combined with a junk-code generator, antidebugging and antiemulation techniques, making it’s detection more difficult.
FILE INFECTION METHOD:
Using different entry-point obscuring techniques, Polip makes itself a hard to detect virus:
It chooses a random imported function from the victim, and hooks all calls or jumps to that function.
It searches for functions that have the same stack-frame-restore code, and patches all instances of that code, with a call to its own body.
If it finds unused space in victim’s code sections, it inserts code into them, as much as it can, without increasing those sections’ sizes.
It increases the VirtualSize for the data sections of the victim, and will use that space from it’s junk code.
If a resource section is found in the victim, sometimes it shifts that section, and inserts a new section after the last data section, and before the resources (other times it appends it’s section after the resources), and repairs the resource section (otherwise it would damage the victim).
When infecting a file, it searches for the following files in same directory as the file that is going to be infected:
drwebase.vdb
avg.avi
vs.vsn
anti-vir.dat
avp.crc
chklist.ms
ivb.ntz
ivp.ntz
chklist.cps
smartchk.ms
smartchk.cps
aguard.dat
avgqt.dat
lguard.vps
It will delete these files if they are found.
It tries to terminate some of the security related processes.
Once the control of an infected file is passed to the virus body, it cleans the memory copy of the file (restores the original code at the patched locations), to make sure it is run only once from a certain file.
When the virus is executed from an file with overlay, it makes a copy of that in the %TEMP% folder, disinfects it, and runs it from that location. This is useful in case of installers or SFX archives that use integrity checks.
The virus will not infect the files matching the following names:
vtf tb dbg f- nav pav mon rav nvc fpr dss ibm inoc scn
pack vsaf vswp fsav adinf sqstart mc watch kasp nod setup
temp norton mcafee anti tmp secure upx forti scan “zone labs”
alarm symantec retina eeye virus firewall spider backdoor
drweb viri debug panda shield kaspersky doctor “trend micro”
sonique cillin barracuda sygate rescue pebundle ida spf
assemble pklite aspack disasm gladiator ort expl process
eliashim tds3 starforce sec avx root burn aladdin
esafe olly grisoft avg armor numega mirc softice norman
neolite tiny ositis proxy webroot hack spy iss pkware
blackice lavasoft aware pecompact clean hunter common kerio
route trojan spyware heal alwil qualys tenable avast a2
etrust spy steganos security principal agnitum outpost avp
personal softwin defender intermute guard inoculate sophos
frisk alwil protect eset nod32 f-prot avwin ahead nero
blindwrite clonecd elaborate slysoft hijack roxio imapi
newtech infosystems adaptec “swift sound” copystar astonsoft
“gear software” sateira dfrgntfs
The decrypted virus body contains the following text:
Win32.Polipos v1.2 by Joseph.
PROCESS INFECTION METHOD:
The virus will infect all running processes excepting those matching the following names: savedump, dumprep, dwwin, drwatson, drwtsn32, smss, csrss, spoolsv, ctfmon, temp.
For the processes it infects, it hooks the following APIs, by patching directly the kernel copy from each process address space:
CreateFileW
CreateFileA
SearchPathW
SearchPathA
CreateProcessW
CreateProcessA
LoadLibraryExW
LoadLibraryExA
ExitProcess
These hooks will allow the virus to infect all files that an infected process accesses through the APIs mentioned above.
SPREADING METHOD:
The virus is able to connect to Gnutella P2P network, acting as a client. It uses a predefined list of Gnutella webcache servers, in order to obtain lists of available nodes (connected clients). Using the P2P network, it has a strong ability to spread itself like a worm.
————————————————————————————————
no wonder it can spread so fast and only application tiooh~ my pity desktop T_T
Youre so cool! I dont suppose Ive read anything like this before. So nice to find somebody with some original thoughts on this subject. realy thank you for starting this up. this website is something that is needed on the web, someone with a little originality. useful job for bringing something new to the internet!
Memories: Win32.Polipos.A | HowToCleanseYourBody I was suggested this web site by my cousin. I am not sure whether this post is written by him as no one else know such detailed about my problem. You’re amazing! Thanks! your article about Memories: Win32.Polipos.A | HowToCleanseYourBodyBest Regards SchaadAndy
We are a group of volunteers and starting a new scheme in our community. Your site provided us with valuable information to work on. You’ve done an impressive job and our entire community will be thankful to you.
Youre so cool! I dont suppose Ive read anything like this before. So nice to search out anyone with some authentic ideas on this subject. realy thank you for starting this up. this web site is something that is needed on the web, someone with a bit of originality. useful job for bringing something new to the web!
Excellent content and certainly will help with becoming familiar with the article better.
היי רציתי להמליץ לכם על אתר עם ריהוט משרדי , פותחים עסק חדש? מעוניינים בעיצוב מעניין למשרד שלכם? רוצים להעביר מסר מסויים במשרד שלכם? פנו לאתר ריהוט משרדי וקבלו תשובות מעולות לרצונות שלכם.
I loved as much as you will receive carried out right here. The sketch is attractive, your authored subject matter stylish. nonetheless, you command get got an impatience over that you wish be delivering the following. unwell unquestionably come further formerly again since exactly the same nearly very often inside case you shield this hike.
fantastic post, very informative. I wonder why the other specialists of this sector don’t notice this. You should continue your writing. I am confident, you’ve a great readers’ base already!
It’s best to take part in a contest for among the finest blogs on the web. I will suggest this web site!
Hello, you used to write excellent, but the last several posts have been kinda boring¡K I miss your great writings. Past several posts are just a little out of track! come on!
I immediately liked this blog. Will be nice to come back here. Alice
Приезжие индивидуалки из столици Украины города Киева знают смысл в том, как доставить удовольствие! Путаны Киева несомненно любят безумно ебаться!
Although I genuinely like this publish, I believe there was an spelling error close to the finish of the third section.
Have you considered adding some relevant links to your article? I think it might enhance everyones understanding.
This blog is really good. How did you make it .
Memories: Win32.Polipos.A | HowToCleanseYourBody I was recommended this website by my cousin. I’m not sure whether this post is written by him as no one else know such detailed about my difficulty. You’re incredible! Thanks! your article about Memories: Win32.Polipos.A | HowToCleanseYourBodyBest Regards Agata
You made some first rate factors there. I regarded on the web for the issue and located most people will go along with with your website.
Have you considered adding a few social bookmarking buttons to these sites. At the very least for bebo.
Same a urbanization any
After I open up your Rss feed it seems to be a ton of junk, is the problem on my part?
Can I just say what a relief to search out someone who truly is aware of what theyre talking about on the internet. You positively know how one can bring a problem to mild and make it important. Extra folks must learn this and perceive this side of the story. I cant consider youre not more well-liked because you definitely have the gift.
There are some fascinating points in time on this article but I don’t know if I see all of them center to heart. There’s some validity however I will take maintain opinion till I look into it further. Good article , thanks and we would like more! Added to FeedBurner as properly
Could you email me with some hints about how you made this website look this cool , Id be appreciative!
I precisely desired to thank you very much once more. I’m not certain the things I would’ve carried out in the absence of the entire smart ideas documented by you about this subject. It has been a very intimidating condition in my opinion, but encountering the very well-written technique you processed that forced me to leap over gladness. I am grateful for this work and even wish you know what a great job that you are accomplishing instructing many others using your websites. Most probably you’ve never encountered any of us.
I am often to blogging and i really recognize your content. The article has actually peaks my interest. I’m going to bookmark your site and hold checking for brand new information.
Have you considered adding a few social bookmarking links to these blogs. At least for myspace.
Whats Going down i am new to this, I stumbled upon this I have discovered It absolutely helpful and it has helped me out loads. Micro needle rollerI am hoping to give a contribution & help other customers like its aided me. Great job.
I would like to thnkx for the efforts you’ve put in writing this site. I am hoping the same high-grade website post from you in the upcoming also. In fact your creative writing abilities has inspired me to get my own website now. Really the blogging is spreading its wings fast. Your write up is a good example of it.
I’m commenting to let you understand of the exceptional encounter our daughter developed viewing your web page. She noticed plenty of details, with the inclusion of what it is like to have an excellent teaching character to make the rest without hassle know precisely selected complex things. You really surpassed readers’ desires. I appreciate you for coming up with those useful, trusted, explanatory and even cool tips about this topic to Evelyn.
My partner and I stumbled over here from a different page and thought I might as well check things out. I like what I see so now i’m following you. Look forward to going over your web page for a second time.
Good post. I be taught something tougher on totally different blogs everyday. It will all the time be stimulating to read content material from different writers and practice a little one thing from their store. I’d prefer to make use of some with the content material on my blog whether you don’t mind. Natually I’ll give you a hyperlink in your internet blog. Thanks for sharing.
Spot on with this write-up, I actually assume this web site wants far more consideration. I’ll in all probability be again to learn way more, thanks for that info.
It’s excellent webpage, I was looking for something like this
It’s super page, I was looking for something like this
I was basically curious about if you ever considered switching the page layout of your website? Its very well written; I enjoy what you have got to say. But maybe you could add a a bit more in the way of written content so people could connect with it better. You have got an awful lot of wording for only having one or two images. Maybe you could space it out better?
This is a really good read for me. Must agree that you are one of the coolest blogger I ever saw. Thanks for posting this useful information. This was just what I was on looking for. I’ll come back to this blog for sure!
In the first half, two things happened,” said Saints coach Sean Payton. “They did a good job of possessing the ball, and we had two turnovers.
First come, first served.
Many hands make light work.
I conceive this internet site has very excellent written content articles .
Just discovered this blog through Bing, what a pleasant surprise!
I am typically to blogging and i actually recognize your content. The article has actually peaks my interest. I am going to bookmark your site and preserve checking for new information.
This blog site is very good! How did you make it !?
What is internet blogging and what is the best blog website?
Can I just say what a relief to seek out someone who really knows what theyre speaking about on the internet. You positively know the way to convey an issue to light and make it important. More individuals need to learn this and perceive this facet of the story. I cant imagine youre not more in style since you undoubtedly have the gift.
Really appreciate this post. It’s hard to sort the good from the bad sometimes, but I think you’ve nailed it!
one thing that i want to tell you is that i really like your article and the way you write them! simply amazing.
Oh my goodness! an incredible article dude. Thank you Nonetheless I’m experiencing subject with ur rss . Don’t know why Unable to subscribe to it. Is there anybody getting identical rss problem? Anyone who knows kindly respond. Thnkx
Youre so cool! I dont suppose Ive read anything like this before. So nice to seek out anyone with some authentic thoughts on this subject. realy thanks for beginning this up. this website is one thing that’s needed on the internet, somebody with just a little originality. helpful job for bringing something new to the web!
I admire the dear knowledge you be offering on your articles. I can bookmark your blog and have my children test up right here generally. I am quite sure they will learn lots of new stuff here than any one else!