Parite.CBR a polymorphic virus which infects all portable EXE files


The Dell Sonicwall Threats Research team observed reports of a Parite bot family named GAV: Parite.CBR actively spreading in the wild. This is the new Variant of Popular Parite which is a polymorphic file infecting virus that infects all portable EXE files found on local and shared network drives.

When Parite run on a system drops a dynamic link library (DLL) to the Windows Temp directory after that the malware injects the DLL into the Explorer.exe process and infects all Executable files on the target machine.

Infection Cycle:

Md5: 8d5d796b04a39a81c5bb1a012416b7f9

The Malware uses the following icons:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempdyg3AC.tmp

    • MD5= 685F1CBD4AF30A1D0C25F252D399A666

  • C:WINDOWSTemptvg3AD.tmp

    • MD5=685F1CBD4AF30A1D0C25F252D399A666

  • %Userprofile%Local SettingsTempHx3B.tmp

    • Md5=9E7370CC3D6A43942433F85D0E2BBDD8

  • %Userprofile%Local SettingsTemptmpD9.tmp

    • MD5=CABDA69821AA1D94A9B05C24224961A3

  • C:WINDOWSwigweu.exe [ Service ]

The Malware adds the following [Random name] keys to the Windows registry [As a Service] to ensure persistence upon reboot:

Malware uses an injected Explorer.exe infects all portable EXE files found on local and shared network drives and after some time it terminates and deletes its own process, here is an example of infected file:

Parite tries to Enumerate open SMB ports on LAN network, When an SMB service is identified, the malware attempts to log in with user names and passwords from a predefined list contains following list:

If the malware successfully guesses the remote access credentials of SMB system it installs a copy of malware to the target share network such as following files:

Command and Control (C&C) Traffic

Parite has the C&C communication over ports 80,445 and 8080. It sends requests to statically defined IP/Domains on a regular basis.

The malware sends a SMB Requests on LAN network to guesses the remote access credentials of target system, here is an example:

Parite uses Tor anonymity networks to carry out communication between victims and attackers keeping it away from Security researchers and government enforcement officials.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Parite.CBR ( Trojan )

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.