Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


How powerful are file infector viruses?

  • Please log in to reply
1 reply to this topic

#1 ering


  • Members
  • 3 posts
  • Local time:09:44 AM

Posted 06 November 2013 - 08:24 PM

Do file infector viruses have the ability to do things like install new programs on your computer or put things like picture or video files onto it? Or is this kind of behavior usually limited to Trojans? Thanks for any help. 

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,756 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:44 AM

Posted 07 November 2013 - 09:15 AM

File infector viruses are the 'classic' form of virus, those to which the term is most commonly and, along with boot sector viruses, most appropriately applied.

When an infectious file is executed on a system, the infection routine will seek out other files and insert its code into them, generally at the beginning or end of the existing file (prepending or appending viruses), but also occasionally in the middle of the file (mid-infector) or spreading itself across gaps in the file structure. The entry point of the file is redirected to the start of the virus code to ensure that it is run when the file is executed, and control may or may not be passed on to the original program in turn.

File infector viruses often misinfect, either leaving the file completely non-functional or simply failing to run the viral code at all. More sophisticted forms of file infector virus, which try to hide their presence by changing aspects of their code with each infection, are known as polymorphic or metamorphic viruses.

What is a file infector?

For example, Virut is a dangerous polymorphic file infector that infects .exe/.scr files on the compromised computer, opens a back door and may download more malicious files. Some variants of virut will disable Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory while others can even penetrate and infect .exe files within compressed files (.zip, .cab, .rar). More complex variants like Virux and Win32/Virut.17408 can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection and amount of damage can vary.

Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files (which could number in the thousands) cannot be deleted and anti-malware scanners cannot disinfect them properly. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Expiro (Win32/Expiro) is a dangerous family of polymorphic file infectors which encrypts its code differently with each infection...meaning that the viral code inserted into each infected file is unique. Typically the virus infects executable files with .exe extensions in all drives, and steals user login credentials which it sends back to the attacker. It also allows backdoor access and control to the infected computer, lowers Internet Explorer settings and includes functionality to inject malicious code into web pages visited.

Win32/Sality is a dangerous polymorphic file infector which infects .exe, .scr files, creates a peer-to-peer (P2P) botnet that compromises your computer, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

Further with file infectors, your machine has likely been compromised by a backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
Reimaging the system
Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users