W32.Pinfi


Aliases: Win32.Parite.a [KAV], W32/Pate.a [McAfee], Win32.Pinfi.A [CA], PE_PARITE.A [Trend], W32/Parite-A [Sophos]
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Moderate
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 11 Oct 2001
Damage: Low

Characteristics: W32.Pinfi first appeared on October 11, 2001. This type of a virus is a memory-resident polymorphic virus that infects the .Exe and .SCR files. It also spreads through mapped drives and open network shares. This virus is also known as Win32.Parite.a, W32/Pate.a, Win32.Pinfi.A, PE_PARITE.A, W32/Parite-A and Win32/Parite.A. Operating systems affected by this virus are Windows 2000, 05, 98, Me, NT and XP.

More details about W32.Pinfi

Once W32.Pinfi is executed, the virus adds the system registry value PINF to a particular system registry key and appends itself to the Explorere.exe file to remain memory-resident. It also appends itself to all the EXE and SCR files from all local as well as mapped drives. Since the virus contains an algorithm, the virus slowly infects a few files one at a time. Then, the virus creates a tempfile in the temporary folder using a Windows API. The created file made by the virus is a UPX-packed executable file. This means that the virus can execute the temporary file and through this UPX-packed executable file will attempt to infect files over network shares.

The W32.Pinfi software connects to a remote server. The server location is hard-coded in its programming. It will then download files into the infected computer. These files are generally installers for malware applications. The downloaded malicious software are installed and added to the system registry. This makes sure the programs run at system startup. They can then be executed to run in the background. The new programs may be adware, spyware or other Trojan applications.