Parite.CBR a polymorphic virus which infects all portable EXE files

March 9, 2015

The Dell Sonicwall Threats Research team observed reports of a Parite bot family named GAV: Parite.CBR actively spreading in the wild. This is the new Variant of Popular Parite which is a polymorphic file infecting virus that infects all portable EXE files found on local and shared network drives.

When Parite run on a system drops a dynamic link library (DLL) to the Windows Temp directory after that the malware injects the DLL into the Explorer.exe process and infects all Executable files on the target machine.

Infection Cycle:

Md5: 8d5d796b04a39a81c5bb1a012416b7f9

The Malware uses the following icons:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempdyg3AC.tmp

    • MD5= 685F1CBD4AF30A1D0C25F252D399A666

  • C:WINDOWSTemptvg3AD.tmp

    • MD5=685F1CBD4AF30A1D0C25F252D399A666

  • %Userprofile%Local SettingsTempHx3B.tmp

    • Md5=9E7370CC3D6A43942433F85D0E2BBDD8

  • %Userprofile%Local SettingsTemptmpD9.tmp

    • MD5=CABDA69821AA1D94A9B05C24224961A3

  • C:WINDOWSwigweu.exe [ Service ]

The Malware adds the following [Random name] keys to the Windows registry [As a Service] to ensure persistence upon reboot:

Malware uses an injected Explorer.exe infects all portable EXE files found on local and shared network drives and after some time it terminates and deletes its own process, here is an example of infected file:

Parite tries to Enumerate open SMB ports on LAN network, When an SMB service is identified, the malware attempts to log in with user names and passwords from a predefined list contains following list:

If the malware successfully guesses the remote access credentials of SMB system it installs a copy of malware to the target share network such as following files:

Command and Control (C&C) Traffic

Parite has the C&C communication over ports 80,445 and 8080. It sends requests to statically defined IP/Domains on a regular basis.

The malware sends a SMB Requests on LAN network to guesses the remote access credentials of target system, here is an example:

Parite uses Tor anonymity networks to carry out communication between victims and attackers keeping it away from Security researchers and government enforcement officials.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Parite.CBR ( Trojan )