W32.Junkcomp


Aliases: Virus.Win32.Junkcomp, Win32.Junkcomp, W32/Junkcomp, Win32.Surrender.18674 
Variants: W32/Junkcomp-A, Win32/Junkcomp.A, PE_SUNDER.A, Win32:Naith-C, W32/Junkcomp.A 

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 07 Jan 2003
Damage: Low

Characteristics: The W32.Junkcomp malware is polymorphic virus that can infect PE or portable executable files. In some scenarios, this virus can only corrupt PE files and not infect them. The virus will append arbitrary data to the corrupted file’s end and may also slightly alter the PE header but the file will still be fully functional. The corrupted files will hardly be detected because the virus itself is not contained in them.

More details about W32.Junkcomp

Upon execution of the W32.Junkcomp virus in the compromised machine, it will infect PE files that are in the same location as itself and PE files that a certain registry entry points to. Once a PE file is infected, the malware will save the first 8KB of the PE file in encrypted form at the executable entry point and then exchange it with a decryptor that is polymorphic. This action is carried out by the virus to prevent alterations to the file header’s default entry point value. The body of the malware will be stored in the file’s end section. The polymorphic engine of this virus is rather complex and is able to create a wide array of commands which include ones that are rarely used for decryptors as a feature for anti-emulation.

This virus also implements anti-debugging functions such as checking to see if different kinds of break points actually point to the code of the virus. In the event that W32.Junkcomp virus detects that it is being debugged, it will voluntarily crash itself. Also, this virus is not able to detect its presence in PE files it has infected so it may re-infect files that are already infected. Each time the virus infects the file, it will grow by approximately 32kb. The infection from the W32.Junkcomp virus can be best removed with help of a competent antivirus program. After securing an antivirus program that can remove this virus, run a complete scan of the machine and then delete all the files that the antivirus deems as related to the W32.Junkcomp.