W32/Liji-A virus propagation

A new virus appeared today albeit in a different way in which it infects and propagates.

The virus W32/Liji-A contains 2 different core components. It has an executable (exe) and, when run, also drops a dynamic linked library(dll).

The functionality of the virus works in this manner:

Linked Library (DLL) – Contains the infection code. The infection routine is called via an export function found within the library. Within the infection code also contains an infection marker that will prevent files that have been previously been infected with W32/Liji-A to be infected a second time.

Main executable (EXE) – Main functional program. It has the ability to spread via network shares and removeable shared drives. In turn, it will attempt to enumerate folders on the infected computer system and infect clean executables.

In a slight twist, the infected files do not go on to infect other files. Instead, when these infected files are run, they connect to a remote website and attempt to perform a file download. The downloaded file is a copy of the main executable (W32/Liji-A). 

W32/Liji-A also contains disinfection capability that will clean executables that have been infected with the virus.

More technical details can be found on the main Sophos website.