HOME > Security Info
| Title | File | Date | ||
|---|---|---|---|---|
| Increase of File replacing virus | -- | 06/04/10 |
Written by HAURI Virus Lab.
Recently, the file replacing virus which is targeting on software update program has been increasing. This virus replaces the normal system file with malicious file. Few days ago, a new type of file replacing virus that targets on Adobe reader update program appeared.
2007' – System file replacing virus
In 2007, the file replacing virus was mostly target on windows system file (explorer.exe, svchost.exe, userinit.exe, winlogon.exe, rpcss.dll, lpk.dll, comres.dll, etc.)
This virus did backup the original windows system file not to affect to the system and, it uses the backup system file when a user executes.
Because of this process of virus, if the anti-virus program deletes this virus without restoring the backup system file, the windows used to not work properly. To restore the infected system, you may need to copy a normal system file from the i386 folder of Windows installation CD to the PC.
Once you restore the system with normal files, you should keep updating the Windows security patch not to get infection again.
2009' – Start program file replacing virus
In 2009, the trend of file replacing virus shifted from system file to windows start program. It replaces the normal program registered in registry with malicious program and automatically runs upon the system start.
The path of start registry where the start program is registered is as below. To block this virus infection, you need to check whether the registered file in start registry is a normal program or not.
2010' – Well-known software update file replacing virus
In 2010, the file replacing virus is using an update program to cheat the anti-virus program and analyst. The new type of virus infects the PC after overwriting the software update program.
Many analysts are confused because the virus contains the official package version info and same icon feature.
Nowadays, a particular virus created by Visual Basic was found in well-known programs such as Adobe, DeepFreeze, Java and Windows. If this virus is executed, the DHCP client, DNS client, Network share service are activated and the port is opened for the attacker's remote command execution.
From now on, it seems that the file replacing virus targets on the update program and normal file will be increased. The virus is getting sophisticated so it's harder to detect or distinguish the virus from the normal files. Therefore, we always need to keep updating to the latest engine of anti-virus program.
