Before you download:
Clean your PC from errors
The propagation of Win32.Polipos began in March. It was added to Dr.Web virus baseon March 20, 2006 and since that time it is no more a danger for users of Dr.WebAnti-virus.
Apart from the complicated polymorphic technique used by the virus writer, the virusalso has a dangerous function of Â"neutralizing" certain antivirus and securityprograms. Fluently spreading across P2Ps, the virus infiltrates computers connectedto these networks and, being run, secretly makes them accessible to public ofP2P-networks.
The virus infected Windows executables by writing the code of the polymorphicdecoder into unused spaces of code sections, as if Â"covering the body of the victimwith own spotsÂ". When doing this, the virus creates a new section and places thereits main encoded code, moving the resource section, if any exists, below. Whenimplanting into a file it does not modify the original entry point, but replacesaddresses of calls of API, selected at random, with the start address of the virus.
When the virus is launched, it implants its code into all run processes, except forthe following:
savedump, dumprep, dwwin, drwtsn32, drwatson, kernel32.dllsmss, csrss, spoolsv, ctfmon, temp
Thus, several copies of the virus stay in the computer memory, each of them isresponsible for a definite activity, for example search for files for infection,infection of files, interaction with P2Ps based on Gnutella networks, etc. Infectedfiles become open for members of this network. Resident copies of Win32.Polipos intercept the following API functions -ExitProcess, CreateProcess, CreateFileA, LoadLibraryExA, SearchPathA,CreateProcessW, CreateFileW, LoadLibraryExW, SearchPathW. When any of thesefunctions is called, new files get infected. When the control is passed to avictimized file with overlays (sfx-archives, installation files , etc.) the virustries to create the original copy of file in the temporary directory with the nameptf*.tmp and runs it. This is done to evade the integrity check used by certaininstallers.
The spread of such virus undoubtly caused the anxiety of users of P2Ps and it isstrange enough that though the presence in networks of Win32.Polipos is not a secretfor any body for a whole month, Dr.Web Anti-virus long remained the only anti-virusto detect it.
At the beginning of the epidemics the technical support service of Doctor Web, Ltd.received usersÂ' requests about false alarms to Â"clean filesÂ". But Dr.Web analystsproved the existence of a new virus. Dr.Web Anti-virus successfully detectsdifferent modifications of this complicated polymorphic virus due to the hightechnological level of the Dr.Web engine.
At present, Virus monitoring service of Doctor Web, Ltd. designed the curingprocedure for files infected with Win32.Polipos. It was done for users whoseanti-virus programs still do not detect this virus and whose computers, thoughprotected by other anti-virus programs, are infected with the virus and let itinfect other computers. The curing technique is rather difficult, as it requiresprocessing of a complicated crypt algorithm XTEA, and the decoding of the virus codecan take much time. You should not download any additional curing utilities to curethe infected files, just use Dr.Web Anti-virus and update the virus bases on time.
