Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Resurgence of virus infector PE_FLOXIF

    • Updated:
    • 19 Aug 2020
    • Product/Version:
    • Apex One
    • Apex One as a Service
    • OfficeScan 11.0
    • OfficeScan XG
    • Worry-Free Business Security Standard All
    • Platform:
Summary

The PE_Floxif family is a known virus infector that was first observed and detected by Trend Micro since 2012. Just recently, there is an observed increase in incidents related to this PE infection. This article showcases details about this threat and provides information should users encounter this type of malware.

"PE_" is the Trend Micro detection for "Portable Executable Malware " .These are malicious program that self-copy or insert itself to another program - commonly refer to as a virus infector. Floxif entry point is like other malware. Normally, it may be downloaded via web/email, dropped by other malware and the most common is when a previously infected file is shared either via USB or Shared Drive.

Virus Reports

Capabilities

  • Anti-Sandbox Mechanism
  • Infects EXEs and DLLs running on the background and attaches itself as part of its routine
  • Persistence on Load AppInit which allows the malware to hook the main malware file to any executable that the user executes

Indicators of Compromise

  • hxxps://trendupdate[.]dns05[.]com (C&C Server) – no longer accessible
DetectionsHash (SHA1)
PE_FLOXIF.SM-O14ba3fa927a06224dfe587014299e834def4644f
PE_FLOXIF.Df64e0c9c8cfabf8fcf6e88905b812a1ce0872b4f
Details
Public
SolutionOPR / POLICY
PE_FLOXIF.SM-O11.127.00
PE_FLOXIF.D15.299.00
Behavior Monitoring (TMTD)PA4734S

Containment

  1. Check how many endpoints are affected by doing the following.
    1. Filter Virus Logs / Anti-Malware Events by their detection name.
    2. Create a Pivot Table similar to the following.

  2. Identify Infection sources by filtering through Source Host which can be done either on the pivot table or on the web portal.

  3. Isolate the endpoints for cleanup.
  4. For a larger outbreak, Outbreak Prevention Policies can be utilized.

Cleanup

For Endpoints with functional and updated Security Software:

  1. Configure Real Time Scan, Scheduled Scan, Manual Scan, and Scan Now with the following Settings.
    • Set scan target to "All scannable files".

    • Set scan actions to customized actions.

    • Remove scan exclusions.

  2. Perform a network-wide scan.

For Isolated Endpoints or Endpoints without Functional AV Software:

  • Option 1: ATTK Offline Clean Tool
    1. Download Trend Micro Anti-Threat Toolkit – Offline Clean Tool:

      32-bit
      64-bit

    2. Since the malware infects .exe files, change the extension of the tool to .com. It is recommended to run it inside C:\Windows\.
    3. Click Fix on the detected items, and click Restart once prompted.

  • Option 2: Trend Micro Rescue Disk
    1. For Cleanup choose Scan for Security Threats.

    2. Perform a Full Scan.

    3. A message should appear once the files are cleaned. For files that are not cleaned, this can be deleted manually or sent to Trend Micro for analysis.

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000263034
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.