Resurgence of virus infector PE_FLOXIF

Product / Version includes:

OfficeScanXG , OfficeScan11.0 , Apex One as a ServiceAll , Apex OneAll , Worry-Free Business Security StandardAll

Last updated: 2024/06/14

Solution ID: KA-0010812

Category: Remove a Malware / Virus

Summary

The PE_Floxif family is a known virus infector that was first observed and detected by Trend Micro since 2012. Just recently, there is an observed increase in incidents related to this PE infection. This article showcases details about this threat and provides information should users encounter this type of malware.

"PE_" is the Trend Micro detection for "Portable Executable Malware " .These are malicious program that self-copy or insert itself to another program - commonly refer to as a virus infector. Floxif entry point is like other malware. Normally, it may be downloaded via web/email, dropped by other malware and the most common is when a previously infected file is shared either via USB or Shared Drive.

Virus Reports

Capabilities

Anti-Sandbox Mechanism
Infects EXEs and DLLs running on the background and attaches itself as part of its routine
Persistence on Load AppInit which allows the malware to hook the main malware file to any executable that the user executes

Indicators of Compromise

hxxps://trendupdate[.]dns05[.]com (C&C Server) – no longer accessible

Detections	Hash (SHA1)
PE_FLOXIF.SM-O	14ba3fa927a06224dfe587014299e834def4644f
PE_FLOXIF.D	f64e0c9c8cfabf8fcf6e88905b812a1ce0872b4f

Solution	OPR / POLICY
PE_FLOXIF.SM-O	11.127.00
PE_FLOXIF.D	15.299.00
Behavior Monitoring (TMTD)	PA4734S

Containment

Check how many endpoints are affected by doing the following.
1. Filter Virus Logs / Anti-Malware Events by their detection name.
2. Create a Pivot Table similar to the following.
  
  ^{Click the image to enlarge.}
Identify Infection sources by filtering through Source Host which can be done either on the pivot table or on the web portal.

^{Click the image to enlarge.}
Isolate the endpoints for cleanup.
For a larger outbreak, Outbreak Prevention Policies can be utilized.

Cleanup

For Endpoints with functional and updated Security Software:

Configure Real Time Scan, Scheduled Scan, Manual Scan, and Scan Now with the following Settings.
- Set scan target to "All scannable files".
  
  ^{Click the image to enlarge.}
- Set scan actions to customized actions.
  
  ^{Click the image to enlarge.}
- Remove scan exclusions.
  
  ^{Click the image to enlarge.}
Perform a network-wide scan.

For Isolated Endpoints or Endpoints without Functional AV Software:

Option 1: ATTK Offline Clean Tool
1. Download Trend Micro Anti-Threat Toolkit – Offline Clean Tool:
  32-bit
  64-bit
2. Since the malware infects .exe files, change the extension of the tool to .com. It is recommended to run it inside C:\Windows\.
3. Click Fix on the detected items, and click Restart once prompted.
  
  ^{Click the image to enlarge.}
Option 2: Trend Micro Rescue Disk
1. For Cleanup choose Scan for Security Threats.
  
  ^{Click the image to enlarge.}
2. Perform a Full Scan.
  
  ^{Click the image to enlarge.}
3. A message should appear once the files are cleaned. For files that are not cleaned, this can be deleted manually or sent to Trend Micro for analysis.
  
  ^{Click the image to enlarge.}

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Resurgence of virus infector PE_FLOXIF

Resurgence of virus infector PE_FLOXIF

Product / Version includes:

Summary