W32.Hezhi


Aliases: Win32.Hezhi, W32/Hezhi.a, PE_HEZHI.A
Variants: Virus.Win32.Hezhi, Win32.Hezhi.B, W32/Hezhi.b

Classification: Malware
Category: Computer Virus

Status: Dormant
Spreading: Slow
Geographical info: North and South America, Europe
Removal: Easy
Platform: W32
Discovered: 22 Apr 2002
Damage: Low

Characteristics: One of the most immediate results of a W32.Hezhi infection is the negative effect it has on the overall security of the host computer system. It has been observed to lower if not totally terminate running system processes. Some reports likewise indicate that it may attempt to retrieve or request files from predetermined malicious Web servers. This virus has been known to attack Portable Executable files in the Windows environment.

More details about W32.Hezhi

The first time that the W32.Hezhi launches in a compromised computer system, it will attempt to decrypt its codes as well as resolve every Application Programming Interface it requires in order to establish its presence in the machine and replicate. The virus will create new system sub-processes that are tasked in running its host application side by side with the virus itself. The main process of the W32.Hezhi will simultaneously begin infecting Portable Executable files found in the computer system. Essentially, all executable files are Portable Executable files but not all Portable Executable files are EXE format types. As case in point, the W32.Hezhi may infect a Portable Executable file that uses a SCR file extension format.

However, one of the requirements of the W32.Hezhi when infecting files is that the Portable Executable must use the EXE extension. It also takes into consideration that the target file should have a bigger size bigger than eight kilobytes. The W32.Hezhi likewise looks at the location of the file because it will never infect files stored in folder names that begin with the word System. This malware also attempts to avoid executable files with filenames beginning with predetermined text strings. The W32.Hezhi will target files stored in removable and fixed storage devices including those that are located in network shares.