W32/Liji-A virus propagation

A new virus appeared today albeit in a different way in which it infects and propagates.

The virus W32/Liji-A contains 2 differentsÂ core components. It has an executable (exe) and when run also drops a dynamic linked library(dll).

The functionality of the virus works in this manner:

Linked LibraryÂ (DLL) - Contains the infection code. The infection routine is called via an export function found within the library. Within the infection code also contains an infection marker that will prevent files that have been previously been infected with W32/Liji-A to be infected a second time.

Main executable (EXE) - MainÂ functional program. It has the ability to spread via network shares and removeable shared drives. In turn, it will attempt to enumerate folders on the infected computer system and infect clean executables.

In a slight twist, the infected files do not go on to infect other files. Instead, when these infected files are run, they connect to a remote website and attempts to perform a file download. The downloaded file isÂ a copy of the main executable (W32/Liji-A).Â

W32/Liji-A also contains disinfection capability that will clean executables that have been infected with the virus.

More technical details can be found on the main Sophos website.

http://www.sophos.com/security/analyses/w32lijia.html

Posted on April 25th, 2007 by CheeHui, SophosLabs AU
Filed under: Uncategorized

Windows 7 security - A great leap forward or business as usual?

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.

RSS feed

Hot video

International Kill-A-Zombie Day

SophosLabs blog