Aliases
Virus.Win32.Hidrag.a (Kaspersky Lab) is also known as: Win32.Hidrag (Kaspersky Lab), Virus.Win32.Hidrag (Kaspersky Lab), W32/Jeefo (McAfee), W32.Jeefo (Symantec), Win32.HLLP.Jeefo.36352 (Doctor Web), W32/Jeefo-A (Sophos), Win32/HLLP.Jeefo (RAV), PE_JEEFO.A (Trend Micro), W32/Jeefo (H+BEDV), W32/Jeefo.A (FRISK), Win32:Jeefo (ALWIL), Win32/Hidrag.A (Grisoft), Win32.Jeefo.A (SOFTWIN), W32.Jeefo (ClamAV), W32/Jeefo (Panda), Win32/Jeefo.A (Eset)
Description added Jun 23 2003
Behavior Virus
Technical details
Hidrag is a non-dangerous memory resident parasitic Win32 virus. The virus infects Win32 PE EXE files. While infecting the virus encrypts a block of victim files.
When the Hidrag virus runs it creates a copy of itself that is about 36K in size and places it in the Windows directory using the name svchost.exe. Next Hidrag registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
PowerManager = %WindowsDir%\SVCHOST.EXE
Hidrag then stays in Windows memory as an active process, searches for EXE files on all drives - starting with the C: drive - and infects them.
The virus does not manifest itself in any way.
The virus contains the following encrypted text strings:
Hidden Dragon virus. Born in a tropical swamp.
PowerManagerMutant
