Win32/Porex [Threat Name] go to Threat

Win32/Porex [Threat Variant Name]

Category virus
Size 36864 B
Detection created Oct 19, 2002
Signature database version 318
Aliases Virus.Win32.Porex.a (Kaspersky)
  W32.Porex (Symantec)
  Worm:Win32/Porex.A@mm (Microsoft)
Short description

Win32/Porex is a file infector.

Installation

When executed, the virus creates the following files:

  • %windir%\­poserv.exe

The virus registers itself as a system service using the following name:

  • PO system service

In order to be executed on every system start, the virus sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "PO system service" = "%windir%\­poserv.exe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­PO system service]
    • "Type" = 272
    • "Start" = 2
    • "ImagePath" = "%windir%\­poserv.exe"
    • "DisplayName" = "PO system service"
File infection

The virus searches local drives for files with the following file extensions:

  • .exe

The virus infects the files by inserting its code at the beginning of the original program.


The original host executable can be reconstructed when an infected file is run.


The virus creates the following files:

  • %originalfilename%.rnt (Win32/Porex, 36864 B)

The virus searches local drives for files with the following file extensions:

  • .doc

When the virus finds a file matching the search criteria, it creates a new copy of itself.


The name of the new file is based on the name of the file found in the search.


The extension of the file is .exe .

Information stealing

Win32/Porex is a virus that steals passwords and other sensitive information.


The virus collects information related to the following applications:

  • ICQ

The virus collects the following information:

  • computer name
  • user name
  • CPU information
  • operating system version

The virus is able to log keystrokes.


The collected information is stored in the following file:

  • %windir%\­logger.bin

The virus sends the information via e-mail.


The virus contains a list of (1) addresses.

Other information

The virus may create the following files:

  • %temp%\­TMPTMP.$11
  • %windir%\­TMPTMP.$11

The virus terminates processes with any of the following strings in the name:

  • _avpm.exe
  • aplica32.exe
  • avconsol.exe
  • avpm.exe
  • blackice.exe
  • cfiadmin.exe
  • cfiaudit.exe
  • cfinet.exe
  • cfinet32.exe
  • firewall
  • frw.exe
  • iamapp.exe
  • iamserv.exe
  • ip_tools.exe
  • jammer.exe
  • kerio
  • lockdown2000.exe
  • navapw32.exe
  • navw32.exe
  • outpost.exe
  • pcfwallicon.exe
  • safeweb.exe
  • sewf.exe
  • tds2-98.exe
  • vsecomr.exe
  • vshwin32.exe
  • vsmon.exe
  • vsstat.exe
  • webscanx.exe
  • zonealarm.exe

The following services are disabled:

  • BlackICE

Please enable Javascript to ensure correct displaying of this content and refresh this page.