Threat Description

Oporto

Details

Category: Malware
Platform: W32
Aliases: Oporto, Win32_Oporto, Win32.Oporto

Summary


Oporto is a Windows virus. It stays in memory only until the host process (infected program process) terminates. The virus infects PE (Portable Executable) files, the infection is of appending type. Upon infection the virus increases the size of the last file section, writes its code there and modifies necessary fields in PE header (affected section characteristics). To get control when an infected file is run, the virus replaces first bytes of program's startup code with a short routine that passes control to virus body. With this trick the virus doesn't have to modify program's entry point address. Before the virus passes control to the host program the replaced area is restored.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


When an infected file is run, the virus searches for PE EXE files in current directory, then in Windows or Windows system directories, and infects these files. Then the virus hooks up to 15 Windows file access functions (file searching, opening, etc.) and stays in Windows memory as a part of host program. When hooked functions are accessed the virus searches for more PE EXE files on the disk and infects them.

The virus is able to hook Windows functions only in case the host program uses them (the program has imports of these functions from Windows kernel). The 'life-time' of the resident virus copy fully depends on the life-time of the host program: when it is terminated, the resident virus code is terminated too.

The virus has a payload: it deletes anti-virus data file ANTI-VIR.DAT if found. On 24th of September the virus displays a MessageBox and halts the system:





Technical Details:Eugene Kaspersky, AVP Team


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More