Overview
Type: Virus
Destruction Level: High
Prevalence in Iran: High
Malware Name(s)
- Virus.Win32.Pioneer.a (Padvish)
- Win32/Floxif.H (ESET)
- Virus:Win32/Floxif.H (Microsoft)
- Virus.Win32.Pioneer.cz (Kaspersky)
What is a virus?
In technical terms, a computer virus such as Pioneer is a type of malware that cannot replicate itself automatically. Viruses can infect all accessible executable files in the computer system, which usually have .exe and .dll extensions. Viruses look for non-infected (host) files during execution, and to replicate, they need to insert their own codes among the host file’s codes. Then, once the infected file is executed, the malicious code will be executed too.
What is Pioneer Malware?
Virus.Win32.Pioneer targets executable files, Windows services, and system files. During execution, Pioneer generates multiple threads and actively searches for executables and system files to infect.
Key objectives include:
• Gathering and sending system details to malicious servers
• Downloading and running malware and other malicious software
• Capturing and transmitting passwords entered through Internet Explorer
Technical Description
Indicators of Compromise (IoCs)
• Performance Impact: Significant system slowdowns caused by CPU and RAM consumption from infected services.
• File Modifications: Presence of a vmp0 section appended to infected executable files.
• Suspicious DLL: A file named wsr25zt32.dll in the system, containing data collected from the infected system for transmission to its server.
• The presence of the following information in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Currentversion\Internet Settings\1
valuename = “1609”
valuename = “1406”
valuename = “2103”
HKEY_CURRENT_USER\Software\Microsoft\Currentversion\Internet Settings\2
valuename = “1609”
valuename = “1406”
valuename = “2103”
HKEY_CURRENT_USER\Software\Microsoft\Currentversion\Internet Settings\3
valuename = “1609”
valuename = “1406”
valuename = “2103”
HKEY_CURRENT_USER\Software\Microsoft\Currentversion\Internet Settings\4
valuename = “1609”
valuename = “1406”
valuename = “2103”
These registry values are configured to set a proxy port for unauthorized network access.
Description of performance
• Upon execution, Pioneer attempts to connect to these domains, including:
ferrglashing.cc
vilbeaf-pestare.ru
avpzcheckshop.ru
mkz-coffespores.cc
avpzcheckshop2.ru
peshavar-Xtourism.com
indirs-factor.ws
www.indirs-factor.ws
• After establishing a connection, the malware randomly generates servers that contain MD5-sha1-sha256-tiger128,3 information from the files. Examples include:
gefa-bugin.com
pykyb-aguh.ru
decub-ydyg.ru
• After connecting to the malicious servers, the malware downloads and installs and executes other malicious software on the victim’s system.
• Infecting executable files: In order to infect files, it adds a section named vmp0 to the end of the clean file section, then the malware separates a piece of code from the clean file and places it in this additional section, and places the malware code in this section of the clean file. It then changes the address to the program’s EntryPoint address.
• It searches for services that are not running and starts them after infecting them.
• Collecting system information and sending them to the malware server:
Operating system specifications
Windows Product ID
Drive C specifications
• Disables protection for protected files and then infects them.
• In one thread, it searches all xml files and randomly deletes some of them.
• It captures the passwords entered through the IE browser by opening the HKEY_LOCAL_MACHINE\Microsoft\Internet Explorer\IntelliForms\Storage2 registry path and sends them to the malicious server.
• Terminates some services and open windows randomly.
Spreading method
It is spread in two ways:
Through removable disks to spread to other systems;
By infecting services, executable files, and Windows to spread to other drives of the infected system.
How to deal with and clean the system
Padvish Antivirus includes a UMP feature as part of its behavioral protection, which prevents infections from portable drives. To protect your system from various types of malware, such as Pioneer malware, which often spread through removable devices, it is recommended to install Padvish Antivirus. This helps ensure your device remains secure and protected from these threats.