Win32/Floxif [Threat Name] go to Threat

Win32/Floxif.A [Threat Variant Name]

Category trojan,virus
Size 73851 B
Detection created Sep 11, 2012
Signature database version 7466
Aliases Virus.Win32.Pioneer.bv (Kaspersky)
  Virus:Win32/Floxif.E (Microsoft)
  W32.Fixflo!inf (Symantec)
  Win32:FloxLib-A (Avast)
Short description

Win32/Floxif.A is a file infector.

Installation

When executed, the virus creates the following files:

  • C:\­Program Files\­Common Files\­System\­symsrv.dll (67379 B, Win32/Floxif.A)

The virus hooks the following Windows APIs:

  • CreateFileW (kernel32.dll)
  • CreateProcessInternalW (kernel32.dll)
  • ExitProcess (kernel32.dll)
  • KiUserExceptionDispatcher (ntdll.dll)
  • MessageBoxTimeoutW (user32.dll)
  • WahReferenceContextByHandle (ws2help.dll)
  • connect (ws2_32.dll)
File infection

Win32/Floxif.A is a file infector.


The virus searches local drives for files with the following file extensions:

  • .exe
  • .dll
  • .ocx

The host file is modified in a way that causes the virus to be executed prior to running the original code.


The size of the inserted code is 73851 B .


It avoids files which contain any of the following strings in their path:

  • %windir%
  • 股票
Other information

The virus contains a list of (8) URLs.


It tries to download several files from the addresses. The HTTP protocol is used.


These are stored in the following locations:

  • C:\­Program Files\­Common Files\­System\­symsrv.dll.000
  • %temp%\­update.exe
  • %temp%\­p2pclient.exe
  • %drive%\­pagefile.pif

The files are then executed.


The virus interferes with the operation of some security applications to avoid detection.


The virus terminates its execution if it detects that it's running in a specific virtual environment.


The virus may create the text file:

  • %drive%\­autorun.inf

Please enable Javascript to ensure correct displaying of this content and refresh this page.