Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Winemm.A is a file infector. The virus will attempt to download several files from the Internet. The files are then executed.
Executable file infection
The virus searches for executables with one of the following extensions:
  • .exe
  • .dll
The virus infects files referenced by the following Registry entries:
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run]
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
The virus infects files referenced by the following shortcuts:
  • %commondesktopdirectory%\*.lnk
  • %appdata%\Microsoft\Internet Explorer\Quick Launch\*.lnk
The virus infects files stored on removable and network drives.

Executables are infected by rewriting the code section of the original application with the program code of the infiltration. The original program code is inserted at the end of the file.

The size of the inserted code is 31 KB .

The virus parses the Import Table of executables and searches for associated dynamic link libraries (DLLs).

The virus copies the found DLL library to the folder containing the EXE file. The DLL is then infected by modifying its code at the Entry Point and appending the virus body to the end of the last section.

Malicious code is executed every time an infected DLL is loaded.
Other information
The virus hooks the following Windows APIs:
  • CreateFileW
  • ExitProcess
  • ExitWindowsEx
The virus contains a list of (2) URLs. It tries to download several files from the addresses.

These are stored in the following locations:
  • %temp%\%variable%.tmp
A string with variable content is used instead of %variable% .

The files are then executed.