The Latest in IT Security

There’s nothing old school about viruses


Recently, we discovered a new parasitic infection virus in the wild – Win32/Floxif – which specifically targets DLL files. Most of the attacks of this threat have been observed to come from a specific geographic region.

Win32/Floxif replaces 5 bytes at the entry point of the infected file with a jmp instruction, which jumps directly to the virus body (as shown in Figure 1):


Figure 1: The virus replaces 5 bytes at entry point

The virus body drops a malicious file with a deceptive file name %Program Files%\Common Files\System\symsrv.dll” and then it calls the export function FloodFix of the dropped DLL. The rest of the work is done in this export function, which can be detailed as the following:

  1. Restore the stolen code(including the 5 bytes at the entry point and another code chunk overwritten by the virus) for the host file
  2. Process the relocation table for the host file (the relocation table entry has been removed from the PE file after infection)
  3. Pass control back to the host file

Win32/Floxif adopts 2 different infection strategies to choose the DLL to infect:

  1. Enumerate the loaded DLL files in the running processes
  2. Blanket search for all the DLL files on all drives

In both cases, DLL files under %windows% directory are avoided.

Below is a list of the top 10 reported infected DLL files in our telemetry:

  1. jvm.dll
  2. MSVCR71.DLL
  3. awt.dll
  4. jqs_plugin.dll
  5. ZipLib.dll
  6. WSignature.dll
  7. xappex.
  8. MSVCR100.dll
  9. msoxmlmf.dll
  10. XLUE.dll

Win32/Floxif downloads an encrypted PE file and executes it. The downloaded file is detected as Trojan:Win32/Plexardu.A.

Chun Feng
MMPC Melbourne

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments